HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 133

PASSIVE Authentication is optional. If the attached device is capable of doing the authentication, the switch participates in authentication; otherwise it forms an F_Port without authentication. In PASSIVE mode, an F_Port is disabled if the HBA shared secret does not match with the secret installed on the switch. If the secret provided by the switch does not match the secrets installed on the HBA, the HBA disables the port on its side. On any authentication handshaking rejection, the switch disables the F_Port with reason Authentication rejected. Since the F_Port authentication requires DH-CHAP protocol, selecting the PASSIVE mode is blocked only if FCAP protocol is selected as the authentication protocol. Similarly de-selecting the DH-CHAP protocol from the authentication protocol list is blocked if the device authentication is set to PASSIVE. ON Strict authentication is enforced on F_Ports. The port is disabled if the connecting device sends an FLOGI with the FC-SP bit cleared. The port is disabled with the reason "Authentication required" and a RASlog event is generated. After the device policy is set to ON on the switch, the mandatory authentication is enforced only on new FLOGI requests. Exiting ports are not forced to re-log in and re-authenticate. If you downgrade to a version of Fabric OS earlier than 6.2.0, the ON mode is automatically set to OFF. Virtual Fabric considerations: Because the device authentication policy has switch- and Logical Switch-based parameters, each Logical Switch is set when Virtual Fabrics is enabled. Authentication is enforced based on each Logical Switch's policy settings. AUTH policy restrictions Fabric OS 5.1.0 implementation of DH-CHAP/FCAP does not support integration with RADIUS. All fabric element authentication configurations are performed on a local switch basis. Device authentication policy supports devices that are connected to the switch in point-to-point manner and is visible to the entire fabric. The following are not supported: • Public loop devices • Single private devices • Private loop devices • Mixed public and private devices in loop • NPIV devices • FICON channels • The configupload and configdownload commands are not supported for the following AUTH attributes: auth type, hash type, group type. Supported HBAs The following HBAs support authentication: • Emulex LP11000 (Tested with Storport Miniport 2.0 windows driver) • Qlogic QLA2300 (Tested with Solaris 5.04 driver) Authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters. • Select the authentication protocol used between switches. • Select the DH (Diffie-Hellman) group for a switch. Run the authUtil command on the switch you want to view or change. Below are the different options to specify which DH group you want to use. Fabric OS 6.2 administrator guide 131