Has anyone configured a Brocade 6740/6740T for Active Directory authentication (LDAP or LDAPS)? The command to load the certificate doesnt seem to work. I sniff the port on my SCP/FTP server and I dont even see the switch generate a single packet when I run the command. I am wondering if it's because I am not using the MGMT interface and doing all my management over the VLAN.
Brocade Config
- Thread starter KenK73
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Have you tried this guide?
www.storcom.com
LDAP(s) Configuration on Brocade switches - STORCOM Belgium
In this tutorial we will go through the steps that need to be followed in order to implement LDAP(s) Microsoft Active Directory on Brocade SAN switches.
Not sure about the specific hardware, but can you ping your DC from the switch kernel? Can you manually do an SCP to your DC? Telnet to 389/636? See if you can at least see a SYN packet cross the network and make it to your DC, with an ACK coming back. If your DC is on another subnet, try a traceroute. If it doesn't work, try from another device on the same segment as your in-band mgmt interface.
There might be some kind of switch ACL that's missing for the in-band management that would be there if using the OOB mgmt port. If so, it should show in a log file.
If your physical install is limiting your use of the mgmt port, you could try plugging a short cable from the mgmt port to another port on the same switch that's L2 in a VLAN that can act as the uplink for the OOB mgmt port. Usually the mgmt ports are device ports, and will not cause a switching loop when connected to another port. It may be necessary to remove your in-band interface if the default gateway is different on your mgmt port - THe switch kernel in general can only have one default gateway.
There might be some kind of switch ACL that's missing for the in-band management that would be there if using the OOB mgmt port. If so, it should show in a log file.
If your physical install is limiting your use of the mgmt port, you could try plugging a short cable from the mgmt port to another port on the same switch that's L2 in a VLAN that can act as the uplink for the OOB mgmt port. Usually the mgmt ports are device ports, and will not cause a switching loop when connected to another port. It may be necessary to remove your in-band interface if the default gateway is different on your mgmt port - THe switch kernel in general can only have one default gateway.
Currently the switch is configured for RADIUS auth, but Microsoft just pulled the plug on PEAP in their latest security patch, so Im looking for an alternate solution. I went back to PAP for now, but that's terrible. This setup is a pair of 6740's and a pair of 6740T-1G's in a VCS cluster. No issues reaching the switch VIP or direct to any of the switches from other subnets. Since AD doesnt run SCP, I have exported the PEM certs and put them on a linux box thats in the same subnet as the Brocade VIP/Mgmt interfaces. I ran tcpdump on the linux box, and when I execute the cert import command I dont see anything in tcpdump, the switch just throws an error about the import failed. The cluster is in logical chassis mode, which could make the MGMT port useless.
Hmm I see... If RADIUS is working, and it's a protocol compatibility/safety issue, another potential (but more complex) solution may be to add a FreeRADIUS server in-between to act as an intermediate RADIUS hop (proxy). Like this: config/Proxy
I believe this would let you proxy an inbound auth request out to another server using a different protocol.
But back to the original problem, is there no ARP at all? If the switch kernel is trying to contact something in its local subnet you should see an ARP broadcast from anywhere on that same subnet if that IP is not already in the ARP table (which you can check). If you don't see it, check the switch logs to see if an ACL is blocking it. It may treat ICMP differently from TCP/UDP - So you can ping stuff but other protocols are blocked.
Is the firewall disabled on your linux box? Can you ping the linux box from the switch mgmt interface, but other protocols don't work?
Maybe you can import the cert another way like creating a text file with the Base64 PEM data pasted-in from the console, which would at least get you to the next step.
I believe this would let you proxy an inbound auth request out to another server using a different protocol.
But back to the original problem, is there no ARP at all? If the switch kernel is trying to contact something in its local subnet you should see an ARP broadcast from anywhere on that same subnet if that IP is not already in the ARP table (which you can check). If you don't see it, check the switch logs to see if an ACL is blocking it. It may treat ICMP differently from TCP/UDP - So you can ping stuff but other protocols are blocked.
Is the firewall disabled on your linux box? Can you ping the linux box from the switch mgmt interface, but other protocols don't work?
Maybe you can import the cert another way like creating a text file with the Base64 PEM data pasted-in from the console, which would at least get you to the next step.
When you run the certutil import, are you including the rbridge-id parameter for VCS? - Brocade Network OS Command Reference v4.1.0 - Manual (Page 104)
Or maybe the command syntax you're using is slightly off, or maybe the password has an unsupported special character, etc...
Or maybe the command syntax you're using is slightly off, or maybe the password has an unsupported special character, etc...
| rbridge-id-1: % Error: Importing LDAP CA certificate failed. |
Last edited: