HP StorageWorks MSA 2/8 HP StorageWorks Fabric OS 3.X Document Addendum (AA-RW - Page 137

Fabric OS procedures user guide To enable RADIUS service, access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover. The configuration is chassis-based, so it applies to all logical switches (domains) on the switch and replicates itself on a standby CP card, if one is present. It is saved in a firmware upload, so it can be applied to other switches in a firmware download. Configure at least two RADIUS servers so that if one fails, the other assumes service. You can set the configuration with both RADIUS service and local authentication enabled so that if all RADIUS servers do not respond (because of power failure or network problems), the switch uses local authentication. Considerations for RADIUS Use Consider the following effects of the use of RADIUS service on other Fabric OS features: ■ Passwords - When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally. They do not propagate to the RADIUS server, nor do they affect any account on the RADIUS server. - When RADIUS is set up for a fabric that contains a mix of switches running v4.4.0, v3.2.x, or earlier, the way a switch authenticates users depends on whether a RADIUS server is set up for that switch. For a switch with RADIUS support and configuration, authentication bypasses the local password database. For a switch without RADIUS support or configuration, authentication uses switch local account names and passwords. ■ Secure Fabric OS. In secure mode, the following items apply: - Account passwords are distributed among all switches in the same fabric. An account that resides on several switches has the same password on all of them. This model applies with RADIUS integration; such a distribution affects only the switch local password database. - There are separate admin and nonfcsadmin roles in secure mode. A nonfcsadmin account on a RADIUS server cannot access FCS switches, even if the account is properly authenticated. - If a nonfcsadmin account on a RADIUS server logs in to a switch in nonsecure mode, the switch treats the role like the admin role and grants the access. - The secure Fabric OS telnet policy does not affect the operation of the RADIUS protocol. ■ Advanced Web Tools. The following items apply: - Advanced Web Tools client and server keep an open session after a user is authenticated. A password change on a switch invalidates an open session and requires the user to log in again. When integrated with RADIUS, a switch password change on the RADIUS server does not invalidate an existing open session. However, a password change on the local switch does invalidate an existing open session. - If you cannot log in because of a RADIUS server connection problem, Advanced Web Tools displays a message indicating server outage. Fabric OS 3.x Document Addendum 137