Fabric os commands, Aaaconfig, Chapter 2 – Dell POWEREDGE M1000E User Manual
Page 35: Chapter 2, “fabric os commands, Chapter
Fabric OS Command Reference
7
53-1002746-01
Chapter
2
Fabric OS Commands
aaaConfig
Manages RADIUS, LDAP, and TACACS+ configuration information.
SYNOPSIS
aaaconfig
aaaconfig --show
aaaconfig --add | --change server -conf radius | ldap | tacacs+
[-p port] [-d domain] [-t timeout] [-s secret]
[-a chap | pap | peap-mschapv2]
aaaconfig --remove server -conf radius | ldap | tacacs+
aaaconfig --move server -conf radius | ldap | tacacs+ to_position
aaaconfig --authspec aaa1[;aaa2 [-backup] [-nologout]
aaaconfig --help
DESCRIPTION
Use this command to manage the RADIUS, LDAP, and TACACS+ server configuration for the
authentication, authorization and accounting (AAA) services. Use this command to display, add, remove,
change, enable or disable the RADIUS, LDAP, or TACACS+ configuration.
Brocade switches use a local as well as a remote authentication mechanism for validating a login.
Supported authentication protocols include Password Authentication Protocol (PAP),
Challenge-Handshake Authentication Protocol (CHAP) and Protected Extensible Authentication Protocol
(PEAP). In addition, Fabric OS v6.0.0 and later provides support for Light-weight Directory Access
Protocol (LDAP) authentication against Active Directory for user authentication and authorization.
RADIUS, LDAP or TACACS+ servers are contacted in the order they appear in the configuration list. The
first server returning authentication success or failure causes the authentication request to succeed or
fail. If no response is received within the specified timeout, the next RADIUS, LDAP, or TACACS+ server
in the list is contacted. An event entry logs if all RADIUS, LDAP, or TACACS+ servers fail to respond.
When the command succeeds, it triggers an event log (the Fabric OS error log) to indicate a server is
added, removed, or modified. Refer to the Fabric OS Message Reference manual for specific details.
There are two modes of operation in LDAP authentication, FIPS mode and non-FIPS mode. However,
there is no option to configure LDAP while the switch is in FIPS mode. The LDAP client checks if FIPS
mode is set on the switch and uses FIPS-compliant TLS ciphers for LDAP. If FIPS mode is not set and
the ADir server is configured for FIPS ciphers, it uses FIPS-compliant ciphers.
Configuration changes are persistently saved and take effect with the next AAA request. The
configuration applies to all switch instances in a platform supporting multiple switch domains.
NOTES
Customers can use centralized RADIUS servers to manage AAA services for a switch, as defined in the
RFC 2865 RADIUS specification.
This command can be executed when logged in through the console, Telnet or SSH connection.