OAuth2 Authentication NEW!

Support for OAuth2 authentication allows the processing of authentication requests from north-bound interfaces using an OAuth2 token.

Overview

OAuth2 Authentication is supported only for SLX 9250.
The SLX device uses a PKI certificate to validate the incoming token.
Use the crypto import command with the oauth2pkicert option to import the OAuth2 PKI certificate.
Use the aaa authentication login oauth2 [local | local-auth-fallback] command to configure the OAuth2 mode of authentication.
OAuth2 tokens are supported by the Bearer Token field in the HTTPS authorization header.

The user command in the audit log shows the xpath format for NETCONF configurations. For example:

SLX# show logging auditlog
0 AUDIT, 2020/02/20-22:45:57 (GMT), [DCM-1006], INFO, DCMCFG, admin/admin/134.141.219.78/ssh/netconf,, SLX, Event: database commit transaction, Status: Succeeded, User command:  /brocade-interface:interface/ethernet[name="0/26"]/switchport-basic/basic.
1 AUDIT, 2020/02/20-22:52:23 (GMT), [DCM-1018], WARNING, DCMCFG, admin/admin/134.141.219.78/ssh/netconf,, SLX, Event: database commit transaction, Status: %% Error: Remove L3 configuration from the interface, User command: /brocade-interface:interface/ethernet[name="0/1"]/switchport-basic/basic, /brocade-interface:interface/ethernet[name="0/2"]/switchport-basic/basic, /brocade-interface:inte.

Considerations

Setting the AAA authentication mode to OAuth2 is applicable to the SSH (NETCONF) and RESTCONF login methods. Telnet login using the OAuth2 token always fails because it is a non-secure means of transferring the OAuth2 token. As a best practice, set the secondary source of authentication in the aaa authentication command to always fall back to local authentication.
Unlike other remote server authentication mode of operations, OAuth2 with local or local-auth-fallback always falls back to the local mode of authentication if the primary source fails.
By default, any role from the OAuth2 token is mapped to the admin role in the SLX device.
Only RS256-based OAuth2 token is supported.
There is no expiration check in the OAuth2 token.
You can import only one OAuth2 PKI CA certificate.
The maximum token length allowed is 1024 bytes.
The supported token signature algorithm is RSA SHA-256.