Fabric os commands, Aaaconfig, Chapter 2 – Dell POWEREDGE M1000E User Manual

Fabric OS Command Reference

5

53-1001764-02

Chapter

2

Fabric OS Commands

aaaConfig

Manages RADIUS and LDAP configuration information.

Synopsis

aaaconfig

aaaconfig --show

aaaconfig --add | --change server -conf radius|ldap [-p port] [-d domain][-t timeout] [-s secret]
[-a chap | pap | peap-mschapv2]

aaaconfig --remove server -conf radius|ldap

aaaconfig --move server -conf radius|ldap to_position

aaaconfig --authspec aaa1[;aaa2 [-backup]

aaaconfig --help

Description

Use this command to manage the RADIUS and LDAP server configuration for the authentication,
authorization and accounting (AAA) services. Use this command to display, add, remove, change,
enable or disable the RADIUS or LDAP configuration.

Switches running Fabric OS v5.2.0 or later use a local as well as a remote authentication
mechanism for validating a login. Supported authentication protocols include Password
Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP) and, for
switches running Fabric OS v5.3.0 or later, Protected Extensible Authentication Protocol (PEAP). In
addition, Fabric OS v6.0.0 provides support for Light-weight Directory Access Protocol (LDAP)
authentication against Active Directory for user authentication and authorization.

RADIUS or LDAP servers are contacted in the order they appear in the configuration list. The first
server returning authentication success or failure causes the authentication request to succeed or
fail. If no response is received within the specified timeout, the next RADIUS or LDAP server in the
list is contacted. An event entry logs if all RADIUS or LDAP servers fail to respond.

When the command succeeds, it triggers an event log (the Fabric OS error log) to indicate a server
is added, removed, or modified. Refer to the Fabric OS Message Reference manual for specific
details.

There are two modes of operation in LDAP authentication, FIPS mode and non-FIPS mode.
However, there is no option to configure LDAP while the switch is in FIPS mode. The LDAP client
checks if FIPS mode is set on the switch and uses FIPS-compliant TLS ciphers for LDAP. If FIPS
mode is not set and the ADir server is configured for FIPS ciphers, it uses FIPS-compliant ciphers.

Fabric OS v6.1.0 and later is required to configure LDAP to use FIPS-compliant ciphers. Refer to the
Fabric OS Administrator's Guide for configuration procedures.

Configuration changes are persistently saved and take effect with the next AAA request. The
configuration applies to all switch instances in a platform supporting multiple switch domains.