Chapter 8, security, Tacacs+ service in a mixed vendor environment – Brocade Communications Systems Brocade Network OS 2.1 User Manual

Page 12

Advertising
background image

2

Network OS Documentation Update

53-1002606-06

Chapter 8, Security

1

switch# firmware download usb directory firmware\NOS_v2.1.1

5. Optional: Unmount the USB storage device.

switch# usb off

Trying to disable USB device. Please wait...

USB storage disabled.

Chapter 8, Security

Add the following section after “TACACS+ server parameters” on page 86. This update only applies
to Network OS v2.1.1b or higher:

TACACS+ service in a mixed vendor environment

Network OS v2.1.x supports Terminal Access Controller Access-Control System Plus (TACACS+)
Authentication, Authorization and Accounting (AAA) services in multi vendor environments.

Network OS v2.1.x utilizes Role Based Access Control (RBAC) to authorize access to system objects
by authenticated users. In AAA environments you may need to configure “authorization” across
Brocade & non-Brocade platforms. You can use TACACS+ to provide centralized AAA services to
multiple Network Access Servers (NAS) or clients.

Configuring optional arguments in tac_plus

In Network OS v2.1.1b, the Attribute-Value Pair (AVP) arguement can be optional or mandatory, and
is requested explicitly by the device running Network OS. In Network OS v2.1.1b, configure the
argument as optional, as per the example below:

brcd-role*admin

To further enhance compatibility and interoperability with multiple TACACS+ services, the Network
OS device sends the optional argument ‘brcd-role’ in the authorization request to the TACACS+
service. As most TACACS+ servers are coded so that if the NAS sends an argument (as mandatory
or optional) in the authorization request, then the service sends the same argument in the
response. So when brcd-role is configured as an optional argument, it is sent in the authorization
request. Therefore Network OS users are able to successfully authorize with all TACACS+ services
in a mixed vendor environment.

The open source TACACS+ server ‘tac_plus’ is hosted on http://www.shrubbery.net, and is based
on the original Cisco version of TACACS+ server. In the example below, the mandatory attribute
priv-lvl=15 is set to allow Cisco to authenticate. The optional brcd-role = admin argument allows
VDX to authenticate with Network OS v2.1.1b.

NOTE

As tac_plus does not send optional arguments by default, optional arguments are only supported by
Network OS v2.1.1b or higher.

To configure tac_plus with the optional attribute value pair for NOS, add these values to the
tac_plus.conf file:

user = <username> {

default service = permit

service = exec {

priv-lvl=15

optional brcd-role = admin

}

Advertising
Popular Brands
Popular manuals