Brocade Fabric OS Administrator's Guide - Supporting Fabric OS v7.0.1 (53-1002446-01, March 2012)
102 Fabric OS Administrator’s Guide
53-1002446-01
The authentication model using RADIUS and LDAP
5
RADIUS configuration with Admin Domains or Virtual Fabrics
When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin
Domain or Virtual Fabric member list. This section describes the way that you configure attribute
types for this configuration.
The values for the new attribute types use the syntax key=val[;key=val], where key is a text
description of attributes, value is the attribute value for the given key, the equal sign (=) is the
separator between key and value, and the semi-colon (;) is an optional separator for multiple
key-value pairs.
Multiple key-value pairs can appear for one Vendor-Type code. Key-value pairs with the same key
name may be concatenated across multiple Vendor-Type codes. You can use any combination of
the Vendor-Type codes to specify key-value pairs. Note that a switch always parses these attributes
from Vendor-Type code 2 to Vendor-Type code 4.
Only four kinds of keys are accepted; all other keys are ignored. The following keys are accepted:
• HomeAD is the designated home Admin Domain for the account. The valid range of values is
from 0 to 255. The first valid HomeAD key-value pair is accepted by the switch, and any
additional HomeAD key-value pairs are ignored.
• ADList is a comma-separated list of Administrative Domain numbers to which this account is a
member. Valid numbers range from 0 to 255. A dash between two numbers specifies a range.
Multiple ADlist key-value pairs within the same or across the different Vendor-Type codes are
concatenated. Multiple occurrences of the same Admin Domain number are ignored.
• HomeLF is the designated home Virtual Fabric for the account. The valid values are between 1
to 128 and chassis context. The first valid HomeLF key-value pair is accepted by the switch,
additional HomeLF key-value pairs are ignored.
• LFRoleList is a comma-separated list of Virtual Fabric ID numbers to which this account is a
member. Valid numbers range from 1 to 128. A dash between two numbers specifies a range.
Multiple Virtual Fabric list key-value pairs within the same or across different Vendor-Type
codes are concatenated. Multiple occurrences of the same Virtual Fabric ID number are
ignored.
RADIUS authentication requires that the account have valid permissions through the attribute type
Brocade-Auth-Role. The additional attribute values ADList, HomeAD, HomeLF, and LFRoleList are
optional. If they are unspecified, the account can log in with AD0 as its member list and home
Admin Domain or VF128 as its member list and home Virtual Fabric. If there is an error in the
ADlist, HomeAD, LFRoleList, or HomeLF specification, the account cannot log in until the AD list or
Virtual Fabric list is corrected; an error message is displayed.
For example, on a Linux FreeRadius Server, the user (user-za) with the following settings takes the
“zoneAdmin” permissions, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain
will be 1.
user-za Auth-Type := Local, User-Password == "password"
Brocade-Auth-Role = "ZoneAdmin",
Brocade-AVPairs1 = "ADList=1,2,6,"
Brocade-AVPairs2 = "ADList=4-8;ADList=7,9,12"
In the next example, on a Linux FreeRadius Server, the user has the “operator” permissions, with
ADList 1, 2, 4, 5, 6, 7, 8, 9, 12, 20 and HomeAD 2.
user-opr Auth-Type := Local, User-Password == "password"
Brocade-Auth-Role = "operator",
Brocade-AVPairs1 = "ADList=1,2;HomeAD=2",
Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12"