Brocade vendor unknown when trying to set VSA using Reply Data
289 views
Skip to first unread message
Steve MacDougall
Nov 22, 2013, 1:13:14 PM11/22/13
to rcdevs-t...@googlegroups.com
I've configured Brocade-Auth-Role = "admin" in my Reply Data field. When I attempt to logon from my Brocade switch I get this in my capture:
Access Accept (2), id: 0xa8, Authenticator: dad97df4dd681ad73fe4fdd767a5de89
Reply Attribute (18), length: 24, Value: Authentication success
0x0000: 4175 7468 656e 7469 6361 7469 6f6e 2073
0x0010: 7563 6365 7373
Vendor Specific Attribute (26), length: 13, Value: Vendor: Unknown (1588)
Vendor Attribute: 1, Length: 5, Value: admin
As you can see the authentication was a success, and the actual value of 'admin' was returned. But the vendor shows as unknown. On the Brocade side the connection is reset. Brocade is definitely in the libraries. I've tried setting other attributes live Cisco-AV-Pair, and these show up correctly in my capture, but if course the Cisco VSA isn't recognized by Brocade.
Access Accept (2), id: 0xa8, Authenticator: dad97df4dd681ad73fe4fdd767a5de89
Reply Attribute (18), length: 24, Value: Authentication success
0x0000: 4175 7468 656e 7469 6361 7469 6f6e 2073
0x0010: 7563 6365 7373
Vendor Specific Attribute (26), length: 13, Value: Vendor: Unknown (1588)
Vendor Attribute: 1, Length: 5, Value: admin
As you can see the authentication was a success, and the actual value of 'admin' was returned. But the vendor shows as unknown. On the Brocade side the connection is reset. Brocade is definitely in the libraries. I've tried setting other attributes live Cisco-AV-Pair, and these show up correctly in my capture, but if course the Cisco VSA isn't recognized by Brocade.
Steve MacDougall
Dec 5, 2013, 3:54:10 PM12/5/13
to rcdevs-t...@googlegroups.com
Still no luck setting Brocade-Auth-Role ="admin" using Reply Data.
I've tested a Cisco device with Service-Type="NAS-Prompt-User", Cisco-AVPair="shell:priv-lvl=15", and this works fine.
dictionary.brocade is included and appears to be correct. I've looked on Brocade's site and the Brocade-Auth-Role ="admin" attribute is correct:
Still, when I try and authenticate I get the tcpdump shown above. Something seems to be missing for brocade in the RCDevs OpenOTP RADIUS Bridge, but I can't figure out what.
Any help is appreciated.
I've tested a Cisco device with Service-Type="NAS-Prompt-User", Cisco-AVPair="shell:priv-lvl=15", and this works fine.
dictionary.brocade is included and appears to be correct. I've looked on Brocade's site and the Brocade-Auth-Role ="admin" attribute is correct:
Still, when I try and authenticate I get the tcpdump shown above. Something seems to be missing for brocade in the RCDevs OpenOTP RADIUS Bridge, but I can't figure out what.
Any help is appreciated.
Administrators
Dec 6, 2013, 8:18:47 AM12/6/13
to rcdevs-t...@googlegroups.com
We checked the Brocade-Auth-Role ="admin" on our test RADIUS system and everything seems to work.
Make a test: configure your user with loginMode LDAP only and the reply data : Brocade-Auth-Role="admin"
On your OTP server go to /opt/radiusd/bin and try with :
./radtest <your user> <your LDAP password> localhost testing123
You should get :
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=68, length=71
Reply-Message = "Authentification réussie"
Class = 0x4f553d5757572d4750
Brocade-Auth-Role = "admin"
And check that in /opt/radiusd/conf/opentop.conf you have:
data_is_vps = yes
Steve MacDougall
Dec 6, 2013, 12:28:13 PM12/6/13
to rcdevs-t...@googlegroups.com
I tried the radtest as you suggested and it works exactly as
described when I try it from the WebADM server. But it still doesn't
work form the actual Brocade switch.
I noticed that the switch supports LDAP authentication as well so I though I'd try that instead, but I'm not having any more luck. I can set the LDAP host and basedn. I've set the host and a basedn that matches the WebADM domain on my system.
There is no IPTables running. On the switch I get permission denied, but on the server i don't see any log of the event. My Wireshark trace is attached. It resets the connection immediately after the initial SYN packet, suggesting it's not even listening on the port. I've verified that it is actually listening.
Any ideas?
I noticed that the switch supports LDAP authentication as well so I though I'd try that instead, but I'm not having any more luck. I can set the LDAP host and basedn. I've set the host and a basedn that matches the WebADM domain on my system.
There is no IPTables running. On the switch I get permission denied, but on the server i don't see any log of the event. My Wireshark trace is attached. It resets the connection immediately after the initial SYN packet, suggesting it's not even listening on the port. I've verified that it is actually listening.
Any ideas?
--
You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/groups/opt_out.
-- Steve MacDougall Sr. Network/Systems Administrator Caledon Card Services 647-258-3713 (o) 289-924-1806
Administrators
Dec 8, 2013, 9:04:56 AM12/8/13
to rcdevs-t...@googlegroups.com, st...@caledoncard.com
Everything sounds good on OpenOTP and RB side. It looks like the switch does not understand the Brocade-Auth-Role attribute.
You should ask the vendor if it's supported.
Reply all
Reply to author
Forward
0 new messages