Setting up Brocade Switches to do Tacacs+ authentication with Cisco ACS

Joseph Jenkins

This was a fun one, I had some issues with getting my Brocade switches to continue doing Radius auth with my Cisco ACS so I switched to TACACS+ for them. Had a few issues, but was able to piece this configuration together and have it work correctly.

First setup your servers on the Brocade Side, I find it easiest to work on the command line and define everything that is needed.

aaaconfig –add (first ip) -conf tacacs+ -p 49 -s (secret) -t 5 -a pap
aaaconfig –add (second ip) -conf tacacs+ -p 49 -s (secret) -t 5 -a pap
aaaconfig –authspec tacacs+

The important thing to note here is to use PAP for authentication if you are doing this against Active Directory. AD will not support CHAP which is the default on the Brocade Switches.

Once that is setup you now have no access into your Brocade devices because they are doing TACACS+ authentication and you haven’t defined them on the ACS server yet. Lets take care of that part.

Log into ACS:

Navigate to Device Administration/Shell Profiles, Create a new one, I called mine BROCADE-TAC. Once created click on the “Custom Attributes” and put in the following:shell profileThis will ensure that when you log in, you will log in as an admin on the Switch.

Once this is done go to your Access Polices/Device Admin or whatever you have it called that does your Tacacs Rule authentication. Create a new line in there and then choose your Active Directory login/groupsauth policyThen under Shell Profile, choose the one that you created before. Now depending on your environment you may want to define a specific command set. In my case I am just using Permit All, but you can create different sets for different users depending on what you are trying to limit and who has access to your device. So if you had operators you could permit the show commands or some limited feature set for a junior admin. I only have a few people that log in and they all needed to be full admins, so this was the best choice for me. Mainly we wanted to make sure that we had auditing turned on and would know when someone was logged in making changes to the devices.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.