As I have continued my on the job training with Brocade I came across the fact that we were just using a simple username/password for login. I decided to integrate it into our production Cisco ACS environment. Unfortunately there wasn’t a document on doing this for version 5.3. I had to amend the 4.x information from Brocade. I figured I would document it here for anyone else that was interested.
I am making the assumption you are:
- comfortable with the CLI on Brocade
- that you know how to add RADIUS VSA attributes to the ACS server
I used two documents from Brocade to set this up. The first was Chapter 5 of the FOS admin guide. This was useful in setting up the Radius Server and setting up the auth parameters. Namely Radius First, Local second only if the Radius server is not reachable. Here are the important parts out of the FOS admin guide:
Adding a RADIUS or LDAP server to the switch configuration
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig –add command.
Configuring local authentication as backup
It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems. Example of enabling local authentication, enter the following command for RADIUS
switch:admin> aaaconfig –authspec “radius;local” –backup
The other document that I used was an ACS_FOS Doc from Brocade. The important part out of that were the FOS attributes for Radius, so from this:
[User Defined Vendor]
VSA 1=Brocade-Auth-Role VSA 2=Brocade-AVPairs1 VSA 3=Brocade-AVPairs2 VSA 4=Brocade-AVPairs3 VSA 5=Brocade-AVPairs4 VSA 6=Brocade-Passwd-ExpiryDate VSA 7=Brocade-Passwd-WarnPeriod
I set up this:
The other part that was useful was this section on what to put in for the admin section:
Under “Brocade-Auth-Role” enter “admin” for administrator
This value is the pre-defined user roles in FOS. Examples are:
Which on ACS gave me this:
Now based on the User that logins I can control what access they have into our Brocade environment. This also has the added benefit of allowing us to audit the users that are logging into Brocade so that I don’t have to worry about changes being made by unauthorized/authorized people. I hope this helps someone else and saves them from having to hunt around and find the information.