HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 85

2. Enter the following command: switch:admin> aaaConfig --authspec ["radius" | "ldap" | "radius;local" | "ldap;local" --backup] Fabric OS user accounts RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity rather than by the account names created on a Fabric OS switch. With each account name, assign the appropriate switch access roles. For LDAP servers, you can use the ldapCfg --maprole to map an LDAP server role to one of the default roles available on a switch. RADIUS and LDAP support all the defined RBAC roles described in Table 8 on page 68. Users must enter their assigned RADIUS or LDAP account name and password when logging in to a switch that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server authenticates a user, it responds with the assigned switch role in a B-Series Vendor-Specific Attribute (VSA). If the response does not have a VSA role assignment, the User role is assigned. If no Administrative Domain is assigned, the user is assigned to the default Admin Domain AD0. You can set a user password expiration date and add a warning for RADIUS login. The password expiration date must be specified in UTC and in MM/DD/YYYY format. The password warning value specifies the number of days prior to the password expiration that a warning of password expiration notifies the user. You either specify both attributes or none. If you specify a single attribute or there is a syntax error in the attributes, the password expiration warning will not be displayed. If your RADIUS server maintains its own password expiration attributes, you must set the exact date twice to use this feature, once on your RADIUS server and once in the VSA attribute. If the dates do not match, the RADIUS server authentication fails. The syntax used for assigning VSA-based account switch roles on a RADIUS server is described in Table 14. Table 14 Syntax for VSA-based account roles Item Value Description Type 26 1 octet Length 7 or higher 1 octet, calculated by the server Vendor ID Vendor type 1588 1 4 octets, Brocade's SMI Private Enterprise Code 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: Admin BasicSwitchAdmin FabricAdmin Operator SecurityAdmin SwitchAdmin User ZoneAdmin 2 Optional: Specifies the Admin Domain or Virtual Fabric member list. For more information on Admin Domains or Virtual Fabrics, see "RADIUS configuration with Admin Domains or Virtual Fabrics" on page 87. Brocade-AVPairs1 3 Brocade-AVPairs2 4 Brocade-AVPairs3 5 Brocade-AVPairs4 6 Brocade Password ExpiryDate 7 Brocade Password ExpiryWarning Fabric OS 6.2 administrator guide 85