Fabric OS Administrator’s Guide 101
53-1001763-02
The authentication model using RADIUS and LDAP 5

Setting the switch authentication mode

1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the aaaConfig --authspec command.

Fabric OS user accounts

RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity
rather than by the account names created on a Fabric OS switch. With each account name, assign
the appropriate switch access roles. For LDAP servers, you can use the ldapCfg -–maprole
<ldap_role name> <switch_role> command to map an LDAP server role to one of the default roles
available on a switch.
RADIUS and LDAP support all the defined RBAC roles described in Table 10 on page 84.
Users must enter their assigned RADIUS or LDAP account name and password when logging in to a
switch that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server
authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific
Attribute (VSA). If the response does not have a VSA role assignment, the User role is assigned. If
no Administrative Domain is assigned, then the user is assigned to the default Admin Domain AD0.
--authspec “radius;local” --backup Authenticates management connections
against any RADIUS databases. If RADIUS
fails because the service is not available, it
then authenticates against the local user
database. The --backup option directs the
service to try the secondary authentication
database only if the primary authentication
database is not available.
On On
--authspec “ldap” Authenticates management connections
against any LDAP databases only. If LDAP
service is not available or the credentials
do not match, the login fails.
n/a n/a
--authspec “ldap; local” Authenticates management connections
against any LDAP databases first. If LDAP
fails for any reason, it then authenticates
against the local user database.
n/a On
--authspec “ldap; local” --backup Authenticates management connections
against any LDAP databases first. If LDAP
fails for any reason, it then authenticates
against the local user database. The
--backup option states to try the
secondary authentication database only if
the primary authentication database is not
available.
n/a On
1. Fabric OS v5.1.0 and earlier aaaConfig --switchdb <on | off> setting.
TABLE 15 Authentication configuration options (Continued)
aaaConfig options Description Equivalent setting in Fabric
OS v5.1.0 and earlier
--radius --switchdb1