VDX radius user roles


Hello All,

On our datacenter VDX switches I am having a weird issue with AAA and user access. What we have is radius authentication to an RSA server with local-auth-fallback for now. All local accounts have the role of admin and are able to get into configure terminal mode. When logging in with a radius account I no longer have access to configure terminal mode or many other commands, but this is not the case for all radius accounts. My boss's radius account does not have this issue despite the exact same role configured on the VDX and the same settings in RSA.

My reason for believing this issue is on the switch side is that we have another set of VDXs at our DR site and my boss's radius account has the same issue getting to configure terminal mode that my account does on either device.

Also, there are no authorization commands available on our switches, the only ones listed are aaa authentication and aaa accounting, so I'm left to assume it's just the roles listed in the user account commands that control authorization.

Thanks in advance for any help provided, and please let me know if I need to provide more information or changes to my question.

1 reply

Hello Chris,

I may be late but here it goes:

There are no authorization commands because User authorization on VDX through the RADIUS protocol is not supported. The access control of RADIUS users is enforced by the Brocade role-based access control (RBAC) protocol at the switch level. A RADIUS user should therefore be assigned a role that is present on the switch using the Vendor Specific Attribute (VSA) Extreme-Auth-Role. After the successful authentication of the RADIUS user, the role of the user configured on the server is obtained. If the role cannot be obtained or if the obtained role is not present on the switch, the user will be assigned user role and a session is granted to the user with user authorization.

Here's how you can create a rule to specify the RBAC permissions for say NetworkSecurityAdmin role:

device(config)# rule 30 action accept operation read-write role NetworkSecurityAdmin command role device(config-rule-30)# exit

Hope this helps.

Reply