One fine late afternoon, I was attempting to configure RADIUS authentication on a Brocade SAN switch within a web browser GUI rather than a command-line interface (CLI) with PuTTY. To my shock and horror, I saved the settings before I realized that I did not configure the switch to fallback to local authentication in the event that the RADIUS server was unavailable. If you’re here today with the Caged Rat because you’ve done exactly the same rookie move, I’ll take a shot at the possibility of your initial response to the self-imposed lockout as being something like “OH SHIZNET!!!” or “SON OF A BEACH!” (only more witty and colorful, of course). Let’s just say that I have never felt so much like a caged rat until that moment (well, except for the other time that I locked myself out of a vCenter virtual machine, but I’ll save that one for another day…).
STEP #1 — TAKE A DEEP BREATH — YOU ARE ABOUT TO JUMP INTO THE WHEEL WITH THE CAGED RAT AND SPIN AGAIN!!! The following procedure will help you to gain access to a Brocade switch after an improper configuration of RADIUS or LDAP.
Restore Switch Access Procedure
WARNING: THIS PROCEDURE IS DISRUPTIVE AND REQUIRES A MAINTENANCE WINDOW TO COMPLETE IT.
- Connect to the serial console port
- Capture all console output produced during this procedure in case something does not proceed as planned
- Reboot switch
- Press ESC during reboot when prompted
- Choose Option 3
- Enter the command: printenv
- Enter the command: setenv OSLoadOptions “single”
- Enter the command: boot
- Once the CP boots into single user mode, enter the command to mount the root partion as read/write: mount -o remount,rw,noatime /
- Enter the command to mount the secondary partition: mount /dev/hda1 /mnt (choose the 2nd parameter shown for OSRootPartition from the printenv output)
- Run the following commands:
- cp /etc/pam.d/login.noradius /etc/pam.d/ttylogin
- cp /etc/pam.d/login.noradius /etc/pam.d/netlogin
- cp /etc/pam.d/sshd.noradius /etc/pam.d/sshd
- cp /etc/pam.d/login.noradius /mnt/etc/pam.d/ttylogin
- cp /etc/pam.d/login.noradius /mnt/etc/pam.d/netlogin
- cp /etc/pam.d/sshd.noradius /mnt/etc/pam.d/sshd
- Reboot the switch with the following command: reboot -f
- Test connection to the switch.
If you were careful to follow each step of the procedure, you should be leaping and jumping for joy at this point-in-time. In the future, I highly recommend using a PuTTY session rather than a web browser GUI so that you can issue the “aaaconfig” command with the “-nologout” option. This “-nologout” option will keep your existing PuTTY session alive and your user account logged onto the switch so that you’ll be able to make any additional changes. Moreover, I highly recommend opening another PuTTY session to test and see if your changes have been correctly implemented. If your changes were not correctly implemented, you will still have your original active login session as your way back into the switch.
Configure local authentication as backup
It is CRITICAL to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of a power outage or network problems.
Example for RADIUS: switch:admin> aaaconfig --authspec "radius;local" --backup
Example for LDAP: switch:admin> aaaconfig --authspec "ldap;local" --backup
When local authentication is enabled and the RADIUS or LDAP servers fail to respond, you can log in to the default switch accounts (admin and user) or any user-defined account. You must know the passwords of these accounts. When the command succeeds, the event log indicates that local database authentication is disabled or enabled.
Password recovery using root account
If you have access to the root account, you can reset the passwords on the switch to default. This feature is available for all currently supported versions of the Fabric OS.
To reset any account password from the root account, follow these steps:
- Open a CLI session (serial or telnet for an unsecured system and sectelnet for a secure system) to the switch.
- Log in as root.
- Enter the passwddefault command: switch:root> passwddefault
- Follow the prompts to reset the password for the selected account.
Example command results: switch:root> passwddefault All account passwords have been successfully set to factory default.
Once the passwords have been reset, log into the switch as admin, and change your default passwords. Make sure to keep a hardcopy of your switch passwords in a secure location.
Brocade Default Passwords
Username: factory Password: shuntang (older switches) Password: password (newer switches) Username: root Password: fibranne Username: admin Password: password Username: user Password: password