HP Brocade BladeSystem 4/12 HP StorageWorks Fabric OS 6.1.1 administrator guid - Page 75

To add the Brocade attribute to the server: 1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # # Brocade FabricOS 5.0.1 dictionary # VENDOR Brocade 1588 # # attribute 1 defined to be Brocade-Auth-Role # string defined in user configuration # ATTRIBUTE Brocade-Auth-Role 1 string Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role, and it is a string value. 2. Open the file $PREFIX/etc/raddb/dictionary in a text editor and add the line: $INCLUDE dictionary.brocade As a result, the file dictionary.brocade is located in the RADIUS configuration directory and loaded for use by the RADIUS server. To create the user: • Open the $PREFIX/etc/raddb/user file in a text editor and add user names and roles for users who will be accessing the switch and authenticating RADIUS. The user will log in using the role specified with Brocade-Auth-Role. The valid roles include Root, Admin, SwitchAdmin, ZoneAdmin, SecurityAdmin, BasicSwitchAdmin, FabricAdmin, Operator and User. You must use quotation marks around "password" and "role". For example, to set up an account called JohnDoe with the Admin role: JohnDoe Auth-Type := Local, User-Password == "johnPassword" Brocade-Auth-Role = "admin" The next example uses the local system password file to authenticate users. JohnDoe Auth-Type := System, Brocade-Auth-Role = "admin" When you use Network Information Service (NIS) for authentication, the only way to enable authentication with the password file is to force the switch to authenticate using Password Authentication Protocol (PAP); this requires the -a pap option with the aaaConfig command. Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked. 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) models send their RADIUS requests using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that, in the event of a failover, users can still log in to the switch. To enable clients: 1. Open the $PREFIX/etc/raddb/client.config file in a text editor and add the switches that are to be configured as RADIUS clients. For example, to configure the switch at IP address 10.32.170.59 as a client: client 10.32.170.59 secret = Secret shortname = Testing Switch nastype = other In this example, shortname is an alias used to easily identify the client and secret is the shared secret between the client and server. Make sure the shared secret matches that configured on the switch (see "To add a RADIUS server to the switch configuration:" on page 81). Fabric OS 6.1.1 administrator guide 75