Friday 17 December 2010

Brocade Radius Authentication with RSA Appliances

I've been banging my head against a brick wall with this one for a few hours now.. RSA authentication was working ok on the existing 48k Directors but not on a new pair of 5100's that I took the opportunity to upgrade to FabOS 6.3.


Running a command such as ipaddrshow results in an error saying "Invalid Chassis Role"

Running userconfig --show

returns the following:

> userconfig --show


Account name: xxxxx
Description: RADIUS Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 128
No chassis permission
Home LF: 128

The key bit here is "No chassis permission." - but we knew that!

A quick google returned one result suggesting the following attributes need setting:

HomeLF
LFRoleList
ChassisRole

Well after a lot of pissing about with the brocade.dcf file we had created on the securID appliance.. I realised that what I actually need to do is pass these values across in the AVPair1 - 5 attribute..

So I have ammended the /usr/local/RSASecurity/RSAAuthenticationManager/radius/brocade.dct file to read as follows now:

(I just edited this using vi - press I for insert mode.. edit the file then press esc to exit edit mode and then :wq to write and quit - I'm no vi expert so don't quote me on this)
###########################################################################
# brocade.dct -- Brocade Dictionary
###########################################################################
@radius.dct

MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%]
ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r
ATTRIBUTE Brocade-AVPairs1 Brocade-VSA(2,string) r
ATTRIBUTE Brocade-AVPairs2 Brocade-VSA(3,string) r
ATTRIBUTE Brocade-AVPairs3 Brocade-VSA(4,string) r
ATTRIBUTE Brocade-AVPairs4 Brocade-VSA(5,string) r
###########################################################################
# brocade.dct -- Brocade Dictionary
###########################################################################


After editing the file I restarted the RSA Services  by running:

sudo /sbin/service rsaauthmgr restart


(be warned this can take a little while to restart all the services - Users may moan too if you dont tell them prior)

Now in the RSA console (Radius Profiles) I pass the following values in the following attributes.


Brocade-AVPairs1 = "HomeLF=128"
Brocade-AVPairs2 = "LFRoleList=admin;ChassisRole=admin"
Brocade-Auth-Role = "Admin"

I know this probably isnt the best way of passing the parameters at the moment, and they should be per user for true RBAC, but thats for another day.. (IE when I spend more time playing) and I didnt set it up this way!


Now after re-authenticating I now get the following response:

> userconfig --show
Account name: xxxxx

Description: RADIUS Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 128
Chassis Role: admin
Home LF: 128

Thats 1 more thing ticked off a long list!