Brocade Fabric OS Administrator's Guide - Supporting Fabric OS v7.0.1 (53-1002446-01, March 2012)

Fabric OS Administrator’s Guide 97
53-1002446-01
The authentication model using RADIUS and LDAP
5
9. Enter the saveEnv command to save the new password.
10. Reboot the standby CP blade by entering the reset command.
11. Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore
high availability; then fail over the active CP blade by entering the haFailover command.
Traffic resumes flowing through the newly active CP blade after it has completed rebooting.
12. Connect the serial cable to the serial port on the new standby CP blade (previously the active
CP blade).
13. Repeat step 3 through step 10 for the new standby CP blade.
14. Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore
high availability.
NOTE
To recover lost passwords refer to the Fabric OS Troubleshooting and Diagnostics Guide.
The authentication model using RADIUS and LDAP
Fabric OS supports the use of either the local user database and the remote authentication dial-in
user service (RADIUS) at the same time; or the local user database and lightweight directory
access protocol (LDAP) using Microsoft Active Directory in Windows at the same time. A switch can
be configured to try either RADIUS or LDAP and local switch authentication. The switch can also be
configured to use only RADIUS, only LDAP, or only local switch authentication.
When configured to use either RADIUS or LDAP, the switch acts as a network access server (NAS)
and RADIUS or LDAP client. The switch sends all authentication, authorization, and accounting
(AAA) service requests to the RADIUS or LDAP server. The RADIUS or LDAP server receives the
request, validates the request, and sends its response back to the switch.
The supported management access channels that integrate with RADIUS or LDAP include serial
port, Telnet, SSH, Web Tools, and API. All these require the switch IP address or name to connect.
RADIUS and LDAP servers accepts both IPv4 and IPv6 address formats. For accessing both the
active and standby CP, and for the purpose of HA failover, both CP IP addresses of a Backbone
should be included in the RADIUS or LDAP server configuration.
NOTE
For systems such as the Brocade DCX Backbone, the switch IP addresses are aliases of the physical
Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in
such systems, make sure the CP IP addresses are used.
When configured for RADIUS or LDAP, a switch becomes a RADIUS or LDAP client. In either of these
configurations, authentication records are stored in the RADIUS or LDAP host server database.
Login and logout account name, assigned permissions, and time-accounting records are also
stored on the RADIUS or LDAP server for each user.
By default, the RADIUS and LDAP services are disabled, so AAA services default to the switch’s
local database.
To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an
SSH connection so that the shared secret is protected. Multiple login sessions can configure
simultaneously, and the last session to apply a change leaves its configuration in effect. After a
configuration is applied, it persists after a reboot or an HA failover.