I've been banging my head against a brick wall with this one for a few hours now.. RSA authentication was working ok on the existing 48k Directors but not on a new pair of 5100's that I took the opportunity to upgrade to FabOS 6.3.
Running a command such as ipaddrshow results in an error saying "Invalid Chassis Role"
Running userconfig --show
returns the following:
> userconfig --show
Account name: xxxxx
Description: RADIUS Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 128
No chassis permission
Home LF: 128
The key bit here is "No chassis permission." - but we knew that!
A quick google returned one result suggesting the following attributes need setting:
HomeLF
LFRoleList
ChassisRole
Well after a lot of pissing about with the brocade.dcf file we had created on the securID appliance.. I realised that what I actually need to do is pass these values across in the AVPair1 - 5 attribute..
So I have ammended the /usr/local/RSASecurity/RSAAuthenticationManager/radius/brocade.dct file to read as follows now:
(I just edited this using vi - press I for insert mode.. edit the file then press esc to exit edit mode and then :wq to write and quit - I'm no vi expert so don't quote me on this)
###########################################################################
# brocade.dct -- Brocade Dictionary
###########################################################################
@radius.dct
MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%]
ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r
ATTRIBUTE Brocade-AVPairs1 Brocade-VSA(2,string) r
ATTRIBUTE Brocade-AVPairs2 Brocade-VSA(3,string) r
ATTRIBUTE Brocade-AVPairs3 Brocade-VSA(4,string) r
ATTRIBUTE Brocade-AVPairs4 Brocade-VSA(5,string) r
###########################################################################
# brocade.dct -- Brocade Dictionary
###########################################################################
After editing the file I restarted the RSA Services by running:
sudo /sbin/service rsaauthmgr restart
(be warned this can take a little while to restart all the services - Users may moan too if you dont tell them prior)
Now in the RSA console (Radius Profiles) I pass the following values in the following attributes.
Brocade-AVPairs1 = "HomeLF=128"
Brocade-AVPairs2 = "LFRoleList=admin;ChassisRole=admin"
Brocade-Auth-Role = "Admin"
I know this probably isnt the best way of passing the parameters at the moment, and they should be per user for true RBAC, but thats for another day.. (IE when I spend more time playing) and I didnt set it up this way!
Now after re-authenticating I now get the following response:
> userconfig --show
Account name: xxxxx
Description: RADIUS Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 128
Chassis Role: admin
Home LF: 128
Thats 1 more thing ticked off a long list!
