Connectrix Brocade: "starttls" parameter is missing in the "aaaconfig" command on the switches
Summary: The "starttls" parameter is missing in the "aaaconfig" command in FOS v8.2.3 and FOS v9.0.0x.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
STARTTLS is an alternative approach that is now the preferred method of encrypting an LDAP connection. STARTTLS "upgrades" a nonencrypted connection by wrapping it with SSL/TLS after or during the connection process.
It works by establishing a normal - that is unsecured - connection with the LDAP server before a handshake negotiation between the server and the web services is carried out.
Here, the server sends its certificate to prove that its identity before the secure connection is established.
If negotiation for a secure connection is unsuccessful, then a standard LDAP connection may be opened.
Whether this occurs depends on the LDAP server and its configuration.
It works by establishing a normal - that is unsecured - connection with the LDAP server before a handshake negotiation between the server and the web services is carried out.
Here, the server sends its certificate to prove that its identity before the secure connection is established.
If negotiation for a secure connection is unsuccessful, then a standard LDAP connection may be opened.
Whether this occurs depends on the LDAP server and its configuration.
Cause
Since Broadcom does not support Secure LDAP with port #636, a secure connection is tried to be established by enabling the
"STARTTLS" parameter while configuring the AAA Services using "LDAP"
This option is not available in both the FOS v8.2.3 and FOS v9.0.0x as it was not tested.
Screenshot for reference:
FOS v9.0.0x:
FOS v8.2.3:
Resolution
Since the "starttls" option was not tested in FOS v8.2.3 and v9,0.x you will not get it while configuring the "aaaconfig" command on the switch.
The FOSv9.0.x was released prior to FOS v8.2.3a and above, hence the "starttls" option is missing in "aaaconfig" command.
The "starttls" option is only available from FOS starting with v8.2.3a and above. This information is updated in the Release Notes of FOS v8.2.3a.
In FOS v9.1, the "starttls" option is available while configuring the "aaaconfig."
Command to configure it:
aaaconfig --add | --change server -conf radius | ldap | tacacs+ [-p port] [-d domain] [-t timeout] [-s secret] [-a chap | pap | peap-mschapv2] [-e -encr_type none | aes256] [-tls_mode starttls | ldaps]
Post configuring the same can be checked under the command:
switch:admin> aaaconfig --show -conf ldap LDAP CONFIGURATIONS =================== Position : 1 Server : 1.2.3.4 Port : 389 Domain : local Timeout(s) : 3 LDAP TLS Mode : STARTTLS Position : 2 Server : 5.6.7.8 Port : 389 Domain : local Timeout(s) : 3 LDAP TLS Mode : STARTTLS Primary AAA Service: LDAP Secondary AAA Service: Switch database Log Primary Authentication Status: Yes
Affected Products
Connectrix B-Series SoftwareProducts
Connectrix B-Series, Connectrix B-Series HardwareArticle Properties
Article Number: 000201898
Article Type: Solution
Last Modified: 14 Apr 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.