Brocade Fabric OS Administrator's Guide - Supporting Fabric OS v7.0.1 (53-1002446-01, March 2012)
Fabric OS Administrator’s Guide 105
53-1002446-01
The authentication model using RADIUS and LDAP
5
Enabling clients
Clients are the switches that will use the RADIUS server; each client must be defined. By default, all
IP addresses are blocked.
The Brocade Backbones send their RADIUS requests using the IP address of the active CP. When
adding clients, add both the active and standby CP IP addresses so that, in the event of a failover,
users can still log in to the switch.
1. Open the $PREFIX/etc/raddb/client.config file in a text editor and add the switches that are to
be configured as RADIUS clients.
For example, to configure the switch at IP address 10.32.170.59 as a client:
client 10.32.170.59
secret = Secret
shortname = Testing Switch
nastype = other
In this example, shortname is an alias used to easily identify the client. Secret is the shared
secret between the client and server. Make sure the shared secret matches that configured on
the switch (see “Adding a RADIUS or LDAP server to the switch configuration” on page 112).
2. Save the file $PREFIX/etc/raddb/client.config then start the RADIUS server as follows:
$PREFIX/sbin/radiusd
Configuring RADIUS server support with Windows 2000
The instructions for setting up RADIUS on a Windows 2000 server are listed here for your
convenience but are not guaranteed to be accurate for your network environment. Always check
with your system administrator before proceeding with setup.
NOTE
All instructions involving Microsoft Windows 2000 can be obtained from www.microsoft.com or your
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Configuring RADIUS service on Windows 2000 consists of the following steps:
1. Installing internet authentication service (IAS)
For more information and instructions on installing IAS, refer to the Microsoft website.
2. Enabling the Challenge Handshake Authentication Protocol (CHAP)
If CHAP authentication is required, then Windows must be configured to store passwords with
reversible encryption. Reverse password encryption is not the default behavior; it must be
enabled.
NOTE
If a user is configured prior to enabling reverse password encryption, then the user’s password
is stored and cannot utilize CHAP. To use CHAP, the password must be re-entered after
encryption is enabled. If the password is not re-entered, then CHAP authentication will not work
and the user will be unable to authenticate from the switch.
Alternatives to using CHAP are Password Authentication Protocol (PAP), or PEAP-MS-CHAP-v2.