Manuals / Brocade Communications Systems / Computer Equipment / Switch

Brocade Communications Systems 2.1 manual Security, TACACS+ service in a mixed vendor environment

Models: 2.1

1 44
Download 44 pages 33.32 Kb
Page 12
Image 12
Chapter 8, Security

1

Chapter 8, Security

switch# firmware download usb directory firmware\NOS_v2.1.1

5. Optional: Unmount the USB storage device.

switch# usb off

Trying to disable USB device. Please wait...

USB storage disabled.

Chapter 8, Security

Add the following section after “TACACS+ server parameters” on page 86. This update only applies to Network OS v2.1.1b or higher:

TACACS+ service in a mixed vendor environment

Network OS v2.1.x supports Terminal Access Controller Access-Control System Plus (TACACS+) Authentication, Authorization and Accounting (AAA) services in multi vendor environments.

Network OS v2.1.x utilizes Role Based Access Control (RBAC) to authorize access to system objects by authenticated users. In AAA environments you may need to configure “authorization” across Brocade & non-Brocade platforms. You can use TACACS+ to provide centralized AAA services to multiple Network Access Servers (NAS) or clients.

Configuring optional arguments in tac_plus

In Network OS v2.1.1b, the Attribute-Value Pair (AVP) arguement can be optional or mandatory, and is requested explicitly by the device running Network OS. In Network OS v2.1.1b, configure the argument as optional, as per the example below:

brcd-role*admin

To further enhance compatibility and interoperability with multiple TACACS+ services, the Network OS device sends the optional argument ‘brcd-role’ in the authorization request to the TACACS+ service. As most TACACS+ servers are coded so that if the NAS sends an argument (as mandatory or optional) in the authorization request, then the service sends the same argument in the response. So when brcd-role is configured as an optional argument, it is sent in the authorization request. Therefore Network OS users are able to successfully authorize with all TACACS+ services in a mixed vendor environment.

The open source TACACS+ server ‘tac_plus’ is hosted on http://www.shrubbery.net, and is based on the original Cisco version of TACACS+ server. In the example below, the mandatory attribute priv-lvl=15 is set to allow Cisco to authenticate. The optional brcd-role = admin argument allows VDX to authenticate with Network OS v2.1.1b.

NOTE

As tac_plus does not send optional arguments by default, optional arguments are only supported by Network OS v2.1.1b or higher.

To configure tac_plus with the optional attribute value pair for NOS, add these values to the tac_plus.conf file:

user = <username> {

default service = permit service = exec {

priv-lvl=15 optional brcd-role = admin

}

2

Network OS Documentation Update

 

53-1002606-06

Page 11 Page 13
Page 12
Image 12
Brocade Communications Systems 2.1 manual Security, TACACS+ service in a mixed vendor environment
Page 11 Page 13