Brocade Communications Systems 53-1001763-02 RSA RADIUS server

108 Fabric OS Administrator’s Guide

53-1001763-02

The authentication model using RADIUS and LDAP

IAS is the Microsoft implementation of a RADIUS server and proxy. IAS uses the Windows

native user database to verify user login credentials; it does not list specific users, but instead

lists user groups. Each user group should be associated with a specific switch login role. For

example, you should configure a user group for root, admin, factory, switchAdmin, and user,

and then add any users whose logins you want to associate to the appropriate group.

4. Configuring the server

For more information and instructions on configuring the server, refer to the Microsoft Web

site. Below is the information you will need to configure the RADIUS server for a Brocade

switch. A client is the device that uses the RADIUS server; in this case, it is the switch.

a. For the Add RADIUS Client window, provide the following:

Client address (IP or DNS)—Enter the IP address of the switch.

Client-Vendor—Select RADIUS Standard.

Shared secret—Provide a password. Shared secret is a password used between the client

device and server to prevent IP address spoofing by unwanted clients. Keep your shared

secret password in a safe place. You will need to enter this password in the switch

configuration.

After clicking Finish, add a new client for all switches on which RADIUS authentication will

be used.

b. In the Internet Authentication Service window, right-click the Remote Access Policies

folder; then select New Remote Access Policy from the pop-up window.

A remote access policy must be created for each Brocade login role (Root, Admin, Factory,

SwitchAdmin, and User) for which you want to use RADIUS. Apply this policy to the user

groups that you already created.

c. In the Vendor-Specific Attribute Information window, enter the vendor code value 1588.

Click the Yes. It conforms radio button and then click Configure Attribute.

d. In the Configure VSA (RFC compliant) window, enter the following values and click OK.

Vendor-assigned attribute number—Enter the value 1.

Attribute format—Enter String.

Attribute value—Enter the login role (Root, Admin, SwitchAdmin, User, etc.) the user group

must use to log in to the switch.

e. After returning to the Internet Authentication Service window, add additional policies for all

Brocade login types for which you want to use the RADIUS server. After this is done, you

can configure the switch.

RSA RADIUS server

Traditional password-based authentication methods are based on one-factor authentication, where

you confirm your identity using a memorized password. Two-factor authentication increases the

security by using a second factor to corroborate identification. The first factor is either a PIN or

password and the second factor is the RSA SecurID token.

RSA SecurID with an RSA RADIUS server is used for user authentication. The Brocade switch does

not communicate directly with the RSA Authentication Manager, so the RSA RADIUS server is used

in conjunction with the switch to facilitate communication.

To learn more about how RSA SecurID works, visit www.rsa.com for more information.