HP StorageWorks MSA 2/8 HP StorageWorks Fabric OS 3.X Document Addendum (AA-RW - Page 138

Fabric OS procedures user guide ■ API. The following items apply: - When an older version of the API host library authenticates against a switch with RADIUS support, the host performs the login. However, the old host library does not recognize the role returned from the switch, which can result in the host displaying an incorrect read or write attribute for an account. The switch library performs the permission check again for individual API function calls. - API provides functions for RADIUS configuration that share the behavior of the aaaconfig CLI command. ■ Advanced Web Tools and API. The following items apply to both of these features: - Users can log in using account names and passwords configured on the RADIUS server, and gain access with the switch roles defined on the RADIUS server. - Users can log in through API using account names and passwords configured on the RADIUS server, and gain access with the switch roles defined on the RADIUS server. - When a proxy switch is used, the switch-side component performs authentication on the proxy switch, rather than on the destination switch. Therefore, to use RADIUS in this environment, you must configure on the proxy switch. Accounting Support The RADIUS service supports accounting request and response packets so that accounting records can be centralized on the RADIUS server. The login account name, assigned role, and password are stored on the RADIUS server for each user. Setting Up the RADIUS Server You must know the switch IP address or name to connect to switches. Use the ipaddrshow command to display a switch IP address. User accounts should be set up by their true network-wide identity, rather than by the account names created on a Fabric OS switch. Along with each account name, the administrator should assign appropriate switch access roles. To manage a nonsecure fabric, these roles can be user or admin. To manage a secure fabric, these roles can be user, admin, or nonfcsadmin. When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names and passwords at the prompt. After the RADIUS server authenticates a user, it responds with the assigned switch role in an HP Vendor-Specific Attribute (VSA) as defined in the RFC. An authentication-accept response without such VSA role assignment grants the user role. The following sections explain how to configure a RADIUS server to support HP clients under different operating systems. Windows 2000 Use these procedures to add a client to the RADIUS server and create remote access policies for Fabric OS user and admin roles. To add a RADIUS client: 1. From the Windows Start menu, select Programs > Administrative Tools:Internet Authentication Service. 2. In the Internet Authentication Service window, right-click the RADIUS Clients folder and select New RADIUS Client. 138 Fabric OS 3.x Document Addendum