Brocade Authorization against Cisco ACS 5.3

As I have continued my on the job training with Brocade I came across the fact that we were just using a simple username/password for login.  I decided to integrate it into our production Cisco ACS environment.  Unfortunately there wasn’t a document on doing this for version 5.3.  I had to amend the 4.x information from Brocade.  I figured I would document it here for anyone else that was interested.

I am making the assumption you are:

  1. comfortable with the CLI on Brocade
  2. that you know how to add RADIUS VSA attributes to the ACS server

I used two documents from Brocade to set this up.  The first was Chapter 5 of the FOS admin guide.  This was useful in setting up the Radius Server and setting up the auth parameters.  Namely Radius First, Local second only if the Radius server is not reachable.  Here are the important parts out of the FOS admin guide:

Adding a RADIUS or LDAP server to the switch configuration
1. Connect to the switch and log in using an account with admin permissions.

2. Enter the aaaConfig –add command.

Configuring local authentication as backup
It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems. Example of enabling local authentication, enter the following command for RADIUS

switch:admin> aaaconfig –authspec “radius;local” –backup

The other document that I used was an ACS_FOS Doc from Brocade.  The important part out of that were the FOS attributes for Radius, so from this:

[User Defined Vendor]
Name=Brocade
IETF Code=1588

VSA 1=Brocade-Auth-Role
VSA 2=Brocade-AVPairs1
VSA 3=Brocade-AVPairs2
VSA 4=Brocade-AVPairs3
VSA 5=Brocade-AVPairs4
VSA 6=Brocade-Passwd-ExpiryDate
VSA 7=Brocade-Passwd-WarnPeriod

[Brocade-Auth-Role]
Type=STRING
Profile=OUT
[Brocade-AVPairs1]
Type=STRING
Profile=OUT
[Brocade-AVPairs2]
Type=STRING
Profile=OUT
[Brocade-AVPairs3]
Type=STRING
Profile=OUT
[Brocade-AVPairs4]
Type=STRING
Profile=OUT
[Brocade-Passwd-ExpiryDate]
Type=STRING
Profile=OUT
[Brocade-Passwd-WarnPeriod]
Type=INTEGER
Profile=OUT

I set up this:

The other part that was useful was this section on what to put in for the admin section:

Under “Brocade-Auth-Role” enter “admin” for administrator

This value is the pre-defined user roles in FOS. Examples are:

admin
basicswitchadmin
user
switchadmin
zoneadmin
operator
fabricadmin
securityadmin

Which on ACS gave me this:

Now based on the User that logins I can control what access they have into our Brocade environment. This also has the added benefit of allowing us to audit the users that are logging into Brocade so that I don’t have to worry about changes being made by unauthorized/authorized people. I hope this helps someone else and saves them from having to hunt around and find the information.

One thought on “Brocade Authorization against Cisco ACS 5.3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.