Brocade Communications Systems IP250 AAA Settings tab, Configuring Radius server authentication

12 AAA Settings tab

AAA Settings tab

Authentication enables you to configure an authentication server and establish authentication policies. You can configure the Management application to authenticate users against the local database (Management application server), an external server (RADIUS, LDAP, CAC or TACACS+), or a switch. Authentication is configured to the local database by default. When you use an external server, the Management application sends the login information to the external server to make sure the name and password are valid.

If you configure primary authentication to an external or switch authentication, you can also configure secondary authentication to the local server. When you log in to the Management application, if the primary server is unavailable, the Management application attempts with the next configured primary server. If all primary servers are unavailable, then the Management application falls back to the secondary authentication. Fall back can occur when the server is unavailable, authentication fails, or the user is not found.

Configuring Radius server authentication

If you are using a Radius server for authentication, make the following preparations first:

•Make sure that the server you want to use is on the network that the Management application manages.

•Make sure that the external server and its user accounts have been properly configured. For example, you must define roles and areas of responsibility (AOR) in the external server to match the Management application roles and AOR.

•Select an Authentication Type (you will be prompted to provide a type in the Add or Edit Radius Server dialog box). The Authentication Type is the authentication policy you choose for handling authentication. The options are PAP and CHAP.

-PAP, password protected protocol, is based on password verification. Passwords are not encrypted, and are not secure from eavesdroppers during transmission.

-CHAP, challenge handshake protocol, uses a three-way handshake method of verification based on a shared secret. If you are using CHAP, have the shared secret available to you. You will need to type it in as a configuration parameter.

•Know the Shared Secret.

•Have the IP address of the server available.

•Know the TCP port you are using and make sure it is open in the firewall. For Radius servers, ports 1812 or 1813 (actually UDP ports) are commonly used. Some older Radius server use 1645 or 1646 instead of 1812 and 1813; check with the Radius server vendor if you are not sure which port to specify.

•Know how long you want to wait between attempts to reach the server if it is busy. This is expressed as a timeout value (default is 3 seconds) in seconds. Values are between 1 and 15.

•Determine how many attempts (default is 3 times) to make to reach the server before stopping and assuming it is unreachable. Values are between 1 and 5.

•If possible, establish an active connection with the Radius server before configuration. This enables you to test the connection as part of the configuration procedure.

1.Select the AAA Settings tab.

2.Select Radius Server from the Primary Authentication list.