Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 658
646
Brocade Mobility RFS Controller System Reference Guide
53-1003099-01
11
9. If creating a new policy, assign it a RADIUS Server Policy name up to 32 characters.
10. Configure the following Settings required in the creation or modification of the server policy:
11. Set the following Authentication parameters to define server policy authorization settings.
RADIUS User Pools
Select the user pools (groups of existing client users) to apply to this server policy. Up to 32
policies can be applied. If there is not an existing user pool configuration suitable for the
deployment, select the Create link and define a new configuration.
LDAP Server Dead Period
Set an interval in either Seconds (0 - 600) or Minutes (0 - 10) for planned LDAP server inactivity.
A dead period is only implemented when additional LDAP servers are configured and available
for LDAP failover. The default setting is 5 minutes.
LDAP Groups
Use the drop-down menu to select LDAP groups to apply the server policy configuration. Select
the Create or Edit icons to either create a new group or modify an existing group. Use the arrow
icons to add and remove groups as required.
LDAP Group Verification
Select the checkbox to set the LDAP group search configuration.
LDAP Chase Referral
Select this option to enable the chasing of referrals from an external LDAP server resource.
An LDAP referral is a controller or service platform’s way of indicating to a client it does not hold
the section of the directory tree where a requested content object resides. The referral is the
controller or service platform’s direction to the client a different location is more likely to hold
the object, which the client uses as the basis for a DNS search for a domain controller. Ideally,
referrals always reference a domain controller that indeed holds the object. However, it is
possible for the domain controller to generate another referral, although it usually does not take
long to discover the object does not exist and inform the client.
This feature is disabled by default.
Local Realm
Define the LDAP performing authentication using information from an LDAP server. User
information includes user name, password, and groups to which the user belongs.
Default Source
Select the RADIUS resource for user authentication with this server policy. Options include Local
for the local user database or LDAP for a remote LDAP resource. The default setting is Local.
Default Fallback
Define whether a fallback is enabled providing a revert back to local RADIUS resources if the
designated external LDAP resource were to fail or become unavailable. The default fallback
feature is disabled by default.
Authentication Type
Use the drop-down menu to select the EAP authentication scheme used with this policy. The
following EAP authentication types are supported by the local RADIUS and remote LDAP servers:
All – Enables all authentication schemes.
TLS - Uses TLS as the EAP type
TTLS and MD5 - The EAP type is TTLS with default authentication using MD5.
TTLS and PAP - The EAP type is TTLS with default authentication using PAP.
TTLS and MSCHAPv2 - The EAP type is TTLS with default authentication using MSCHAPv2.
PEAP and GTC - The EAP type is PEAP with default authentication using GTC.
PEAP and MSCHAPv2 - The EAP type is PEAP with default authentication using MSCHAPv2.
However, when user credentials are stored on an LDAP server, the RADIUS server cannot
conduct PEAP-MSCHAPv2 authentication on its own, as it is not aware of the password. Use
LDAP agent settings to locally authenticater the user. Additonally, an authentication utility (such
as Samba) must be used to authenticate the user. Samba is an open source software used to
share services between Windows and Linux machine.
Do Not Verify Username
Select this option to use certificate expiration as matching criteria, as opposed to the hostname.
This setting is disabled by default.
Enable CRL Validation
Select this option to enable a Certificate Revocation List (CRL) check. Certificates can be
checked and revoked for a number of reasons including failure or compromise of a device using
a certificate, a compromise of a certificate key pair or errors within an issued certificate. This
option is disabled by default.