Brocade Communications Systems 2.1 Manual De Usuario
2
Network OS Documentation Update
53-1002606-06
Chapter 8, Security
1
switch# firmware download usb directory firmware\NOS_v2.1.1
5. Optional: Unmount the USB storage device.
switch# usb off
Trying to disable USB device. Please wait...
USB storage disabled.
Chapter 8, Security
Add the following section after “TACACS+ server parameters” on page 86. This update only applies
to Network OS v2.1.1b or higher:
to Network OS v2.1.1b or higher:
TACACS+ service in a mixed vendor environment
Network OS v2.1.x supports Terminal Access Controller Access-Control System Plus (TACACS+)
Authentication, Authorization and Accounting (AAA) services in multi vendor environments.
Authentication, Authorization and Accounting (AAA) services in multi vendor environments.
Network OS v2.1.x utilizes Role Based Access Control (RBAC) to authorize access to system objects
by authenticated users. In AAA environments you may need to configure “authorization” across
Brocade & non-Brocade platforms. You can use TACACS+ to provide centralized AAA services to
multiple Network Access Servers (NAS) or clients.
by authenticated users. In AAA environments you may need to configure “authorization” across
Brocade & non-Brocade platforms. You can use TACACS+ to provide centralized AAA services to
multiple Network Access Servers (NAS) or clients.
Configuring optional arguments in tac_plus
In Network OS v2.1.1b, the Attribute-Value Pair (AVP) arguement can be optional or mandatory, and
is requested explicitly by the device running Network OS. In Network OS v2.1.1b, configure the
argument as optional, as per the example below:
is requested explicitly by the device running Network OS. In Network OS v2.1.1b, configure the
argument as optional, as per the example below:
brcd-role*admin
To further enhance compatibility and interoperability with multiple TACACS+ services, the Network
OS device sends the optional argument ‘brcd-role’ in the authorization request to the TACACS+
service. As most TACACS+ servers are coded so that if the NAS sends an argument (as mandatory
or optional) in the authorization request, then the service sends the same argument in the
response. So when brcd-role is configured as an optional argument, it is sent in the authorization
request. Therefore Network OS users are able to successfully authorize with all TACACS+ services
in a mixed vendor environment.
OS device sends the optional argument ‘brcd-role’ in the authorization request to the TACACS+
service. As most TACACS+ servers are coded so that if the NAS sends an argument (as mandatory
or optional) in the authorization request, then the service sends the same argument in the
response. So when brcd-role is configured as an optional argument, it is sent in the authorization
request. Therefore Network OS users are able to successfully authorize with all TACACS+ services
in a mixed vendor environment.
The open source TACACS+ server ‘tac_plus’ is hosted on http://www.shrubbery.net, and is based
on the original Cisco version of TACACS+ server. In the example below, the mandatory attribute
priv-lvl=15 is set to allow Cisco to authenticate. The optional brcd-role = admin argument allows
VDX to authenticate with Network OS v2.1.1b.
on the original Cisco version of TACACS+ server. In the example below, the mandatory attribute
priv-lvl=15 is set to allow Cisco to authenticate. The optional brcd-role = admin argument allows
VDX to authenticate with Network OS v2.1.1b.
NOTE
As tac_plus does not send optional arguments by default, optional arguments are only supported by
Network OS v2.1.1b or higher.
As tac_plus does not send optional arguments by default, optional arguments are only supported by
Network OS v2.1.1b or higher.
To configure tac_plus with the optional attribute value pair for NOS, add these values to the
tac_plus.conf file:
tac_plus.conf file:
user = <username> {
default service = permit
service = exec {
priv-lvl=15
optional brcd-role = admin
}