Radius configuration considerations – Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 64
44
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
AAA security for commands pasted Into the running-config
If AAA security is enabled on the device, commands pasted into the running-config are subject to
the same AAA operations as if they were entered manually.
When you paste commands into the running-config, and AAA command authorization or
accounting, or both, are configured on the device, AAA operations are performed on the pasted
commands. The AAA operations are performed before the commands are actually added to the
running-config. The server performing the AAA operations should be reachable when you paste the
commands into the running-config file. If the device determines that a pasted command is invalid,
AAA operations are halted on the remaining commands. The remaining commands may not be
executed if command authorization is configured.
NOTE
Since RADIUS command authorization relies on a list of commands received from the RADIUS server
when authentication is performed, it is important that you use RADIUS authentication when you also
use RADIUS command authorization.
RADIUS configuration considerations
•
You must deploy at least one RADIUS server in your network.
•
Brocade devices support authentication using up to eight RADIUS servers, including those
used for 802.1X authentication and for management. The device tries to use the servers in the
order you add them to the device configuration. If one RADIUS server times out (does not
respond), the Brocade device tries the next one in the list. Servers are tried in the same
sequence each time there is a request.
•
You can optionally configure a RADIUS server as a port server, indicating that the server will be
used only to authenticate users on ports to which it is mapped, as opposed to globally
authenticating users on all ports of the device. In earlier releases, all configured RADIUS
servers are “global” servers and apply to users on all ports of the device. Refer to
•
You can map up to eight RADIUS servers to each port on the Brocade device. The port will
authenticate users using only the RADIUS servers to which it is mapped. If there are no RADIUS
servers mapped to a port, it will use the “global” servers for authentication. In earlier releases,
all RADIUS servers are “global” servers and cannot be bound to individual ports. Refer to
“RADIUS server to individual ports mapping”
•
You can select only one primary authentication method for each type of access to a device (CLI
through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as
the primary authentication method for Telnet CLI access, but you cannot also select TACACS+
authentication as the primary method for the same type of access. However, you can configure
backup authentication methods for each access type.
User enters other commands
Command authorization:
aaa authorization commands privilege-level default method-list
Command accounting:
aaa accounting commands privilege-level default start-stop method-list
TABLE 7
AAA operations for RADIUS
User action
Applicable AAA operations