Frequent Contributor I

Brocade AVP pair not being returned by CPPM



Does anybody have any experience with Brocade NOS switches authenticating and authorising using Clearpass. We are attempting to do this but are struggling with the authorisation. We are using TACACS for this. We see the Brocade switch send both service=shell and brcd-role* but despite being configured to return priv-lvl 15 and the brcd-role 'admin', the latter does not get returned only the 'priv-lvl 15', however as the 'admin' role is not returned the default 'user' role is assumed and the user cannot edit the switch configuration.


Just wondering if anybody else has experienced this and if they managed to get this working?



Frequent Contributor I

Re: Brocade AVP pair not being returned by CPPM

I found out that the asterisk (*) sent with the brcd-role indicates that this is an 'optional' parameter that Clearpass doesn't need to respond to. However, we have defined 'brcd-role' as a valid attribute with a configured string 'admin', however Clearpass is not sending this back to the switch. It is only sending back the priv-lvl 15?

New Contributor

Re: Brocade AVP pair not being returned by CPPM

To anyone else that's banging their head against the wall with this issue I think I finally found a way to make it work in ClearPass. You have to update the TACACS+ Services Dictionary. For the existing "Shell" service, you need to add a service attribute "brcd-role" and name it "brcd-role". The dataType needs to be a string. Import the updated TACACS+ dictionary and when you go to configure your enforcement policy and use the "Shell" service attribute type, you will see the "brcd-role" name is now available. Select the new name and then you can supply either of the builtin roles (admin or user). You could also use a custom role in theory if you have one configured on the device.


Search Airheads
Showing results for 
Search instead for 
Did you mean: