Filter
Top Products
Send documentation comments to mdsfeedback-doc@cisco.com.
27-7
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 27 RADIUS and TACACS+
Configuring RADIUS
Setting the Global Preshared Key
You need to configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The
length of the key is restricted to 64 characters and can include any printable ASCII characters (white
spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations
on the switch.
You can override this global key assignment by explicitly using the key option when you create a new
server.
To set the global preshared key, follow these steps:
Step 1 Choose Switches > Security > AAA in Fabric Manager or choose Security > AAA in Device Manager.
Step 2 Choose the Defaults tab. You see the RADIUS and TACACS+ default settings.
Step 3 Select whether the shared key is plain or encrypted in the KeyType field and set the key in the Key field.
Step 4 Set the timeout and retry values for authentication attempts.
Step 5 Click Apply Changes in Fabric Manager or Apply in Device Manager to save the global preshared key
or click Close discard any unsaved changes.
Defining Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF
uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for
general use. The Cisco RADIUS implementation supports one vendor-specific option using the format
recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1,
which is named
cisco-avpair. The value is a string with the following format:
protocol : attribute sep value *
Where protocol is a Cisco attribute for a particular type of authorization, and sep is = for mandatory
attributes, and
* is for optional attributes.
When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the
RADIUS protocol directs the RADIUS server to return user attributes, like authorization information,
along with authentication results. This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported:
• Shell protocol—used in access-accept packets to provide user profile information.
• Accounting protocol—used in accounting-request packets. If a value contains any white spaces, it
should be put within double quotation marks.