Brocade Switch – No Access After RADIUS Configuration


BrocadeOne fine late afternoon, I was attempting to configure RADIUS authentication on a Brocade SAN switch within a web browser GUI rather than a command-line interface (CLI) with PuTTY.  To my shock and horror, I saved the settings before I realized that I did not configure the switch to fallback to local authentication in the event that the RADIUS server was unavailable.  If you’re here today with the Caged Rat because you’ve done exactly the same rookie move, I’ll take a shot at the possibility of your initial response to the self-imposed lockout as being something like “OH SHIZNET!!!” or “SON OF A BEACH!” (only more witty and colorful, of course).  Let’s just say that I have never felt so much like a caged rat until that moment (well, except for the other time that I locked myself out of a vCenter virtual machine, but I’ll save that one for another day…).


STEP #1 — TAKE A DEEP BREATH — YOU ARE ABOUT TO JUMP INTO THE WHEEL WITH THE CAGED RAT AND SPIN AGAIN!!!   The following procedure will help you to gain access to a Brocade switch after an improper configuration of RADIUS or LDAP.


Restore Switch Access Procedure

WARNING:  THIS PROCEDURE IS DISRUPTIVE AND REQUIRES A MAINTENANCE WINDOW TO COMPLETE IT.
  1. Connect to the serial console port
  2. Capture all console output produced during this procedure in case something does not proceed as planned
  3. Reboot switch
  4. Press ESC during reboot when prompted
  5. Choose Option 3
  6. Enter the command:  printenv
  7. Enter the command:  setenv OSLoadOptions “single”
  8. Enter the command:  boot
  9. Once the CP boots into single user mode, enter the command to mount the root partion as read/write:  mount -o remount,rw,noatime /
  10. Enter the command to mount the secondary partition: mount /dev/hda1 /mnt (choose the 2nd parameter shown for OSRootPartition from the printenv output)
  11. Run the following commands:
    1. cp /etc/pam.d/login.noradius /etc/pam.d/ttylogin
    2. cp /etc/pam.d/login.noradius /etc/pam.d/netlogin
    3. cp /etc/pam.d/sshd.noradius /etc/pam.d/sshd
    4. cp /etc/pam.d/login.noradius /mnt/etc/pam.d/ttylogin
    5. cp /etc/pam.d/login.noradius /mnt/etc/pam.d/netlogin
    6. cp /etc/pam.d/sshd.noradius /mnt/etc/pam.d/sshd
    7. /sbin/passwddefault
  12. Reboot the switch with the following command:  reboot -f
  13. Test connection to the switch.

If you were careful to follow each step of the procedure, you should be leaping and jumping for joy at this point-in-time.  In the future, I highly recommend using a PuTTY session rather than a web browser GUI so that you can issue the “aaaconfig” command with the “-nologout” option.  This “-nologout” option will keep your existing PuTTY session alive and your user account logged onto the switch so that you’ll be able to make any additional changes.  Moreover, I highly recommend opening another PuTTY session to test and see if your changes have been correctly implemented.  If your changes were not correctly implemented, you will still have your original active login session as your way back into the switch.


Configure local authentication as backup

Reference:  Fabric OS – Administrator’s Guide – Supporting Fabric OS v7.0.0
Reference:  Fabric OS – Administrator’s Guide – Supporting Fabric OS v6.4

It is CRITICAL to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of a power outage or network problems.

Example for RADIUS:
switch:admin> aaaconfig --authspec "radius;local" --backup
Example for LDAP:
switch:admin> aaaconfig --authspec "ldap;local" --backup

When local authentication is enabled and the RADIUS or LDAP servers fail to respond, you can log in to the default switch accounts (admin and user) or any user-defined account.  You must know the passwords of these accounts. When the command succeeds, the event log indicates that local database authentication is disabled or enabled.


Brocade Fabric OS Admin Guide


Password recovery using root account

Reference:  Fabric OS – Password Recovery Notes – Supporting Fabric OS v6.x, v5.x, v4.x, v3.x, v2.6.x

If you have access to the root account, you can reset the passwords on the switch to default.  This feature is available for all currently supported versions of the Fabric OS.

To reset any account password from the root account, follow these steps:

  1. Open a CLI session (serial or telnet for an unsecured system and sectelnet for a secure system) to the switch.
  2. Log in as root.
  3. Enter the passwddefault command:  switch:root> passwddefault
  4. Follow the prompts to reset the password for the selected account.
Example command results:  switch:root> passwddefault
All account passwords have been successfully set to factory default.

Once the passwords have been reset, log into the switch as admin, and change your default passwords.  Make sure to keep a hardcopy of your switch passwords in a secure location.


Brocade Default Passwords

Username:  factory
Password:  shuntang (older switches)
Password:  password (newer switches)

Username:  root
Password:  fibranne

Username:  admin
Password:  password

Username:  user
Password:  password

 


Facebook Comments