HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 67

1. Log in to the switch using an admin or securityAdmin account. 2. Type userConfig --change -u. where is the name of the user account that is locked out. To disable the admin lockout policy: 1. Log in to the switch using an admin or securityAdmin account. 2. Type passwdCfg --disableadminlockout. The policy is now disabled. Denial of service implications The account lockout mechanism may be used to create a denial of service condition by repeatedly attempting to log in to an account using an incorrect password. Selected privileged accounts are exempted from the account lockout policy to prevent them from being locked out from a denial of service attack. However these privileged accounts may then become the target of password guessing attacks. Audit logs may be examined to monitor if such attacks are attempted. Authentication model This section discusses the authentication model of the switch management channel connections using the aaaConfig command. Fabric OS 6.x and later supports the use of both the local user database and the RADIUS service at the same time; and the local user database and LDAP using Microsoft's Active Directory in Windows at the same time. Table 12 on page 68 outlines the available command options. When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS or LDAP client. The switch sends all authentication, authorization, and accounting (AAA) service requests to the RADIUS or LDAP server. The RADIUS or LDAP server receives the request, validates the request, and sends its response back to the switch. The supported management access channels that will integrate with RADIUS and LDAP include serial port, Telnet, SSH, Web Tools, and API. All these require the switch IP address or name to connect. The RADIUS server accepts both IPv4 and IP address formats, while LDAP server accepts only an IPv4 address. A switch can be configured to try both RADIUS or LDAP and local switch authentication. For systems such as the HP 4/256 SAN Director and DC SAN Backbone Director (DC Director), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure the CP IP addresses are used. For accessing both the active and standby CP, and for the purpose of HA failover, both CP IP addresses of a Director should be included in the RADIUS or LDAP server configuration. When configured for RADIUS or LDAP, a switch becomes a RADIUS or LDAP client. In either of these configurations, authentication records are stored in the RADIUS or LDAP host server database. Login and logout account name, assigned role, and time-accounting records are also stored on the RADIUS or LDAP server for each user. By default, the RADIUS and LDAP services are disabled, so AAA services default to the switch local database. To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover. To enable LDAP service, you will need to install a certificate on the Microsoft Active Directory server. The configuration applies to all switches and on a Director the configuration replicates itself on a standby CP blade if one is present. It is saved in a configuration upload and applied in a configuration download. You should configure at least two RADIUS servers so that if one fails, the other will assume service. You can set the configuration with both RADIUS or LDAP service and local authentication enabled so that if the RADIUS or LDAP servers do not respond due to power failure or network problems, the switch uses local authentication. Fabric OS 6.1.x administrator guide 67