I'm attempting to use an ACS 4.2 appliance to authenticate / authorize users on Brocade SAN switches. I have added the AVP and VSA to ACS, and they all show up in the web interface to select. When I configure a specific attribute for authorization level (ie., admin, user, operator, etc.), the authentication fails completely. Sniffer trace between the Brocade and the ACS shows the correct value for the AVP, but the VSA show "unknown-attribute" coming back from the ACS. The attribute shows the actual value I put in for the attribute, plus some other junk. Is there any way to "dump" the current AVPs / VSAs on the ACS to make sure things are correct? I've verified all the values are correct; just need some more eyes / ears.
Are we completely certain that we have the correct VSA attribute values, I have seen some cases where if the VSA value (not attribute string) is not the one the Brocade device knows it will fail are the values matching these:
[User Defined Vendor]
Also quick question, did you reboot the appliance after importing those VSAs
The Brocade info states that it should be a string, and not an integer. As well, I'm having to do this through RDBMS, as this is an appliance. That being the case, I'm not should how I'd format the CSV file for integer values (I'd have to look that one up). I'm willing to trying anything at this point, as I'm a little confused as to why it's rejecting the value.
You are actually right about the string part, it has to be string, I gather you are using RDBMS this was just an example that I got from a previous issue of mine with a ini file. What I needed you to look at was the actual VSA value. Take a look at this PDF, did you also reboot the appliance?
The value for the VSA in the CSV file is "1" (no quotes). I had also rebooted it as well. I had gotten the same info that you have in the PDF; I believe it comes from the Brocade FabricOS manual.
The CSV file that you created has the same information in the same fields as what I had created. The only difference that I can see is that I created the AVP in one file, with a restart (action 355) at the end, then used a second file to create the VSA, with a restart at the end. Does that make method a difference?
You have several "Brocade-AVPairs" values there as per my understanding these values should be entered manually via a string like Operator and so on... so I don't see why these should be there. As for the other roles those are all ok
I had originally started with just the AVP and the one VSA for Auth-Role, and could not get it to work. I then added the other AVPairs, figuring those were needed. Once I found the stuff in the sniffer trace, I removed the AVP (also removing the VSA's) and redid the AVP with one VSA, and it still does the same thing. The way the trace shows it, the traffic coming from the ACS to the Brocade states "unknown-attribute"; that's why I thought the ACS server is putting out something unusual. Can I post the cap?
I see what you are saying, just a little thought, I see that the string shows
"Ad min" as if there was a space there, can you post the sceenshot of the values that ACS has?
I have the same issue. Has your problem resolved? If yes can you please share what needs to be changed to work this????
Appriciate your help.
No sir. I just went back to using local admin on the Brocade switches. I could not get ACS to work. It seemd like it was not getting the correct login information, etc. Neither Brocade or Cisco would own up to it, so I just went back to local users.