HP A7533A HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, Dece - Page 120
Device authentication policy, Auth policy restrictions
UPC - 829160830858
View all HP A7533A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 120 highlights
switches can have authentication enabled and this will not impact the pre-5.3.0 switches. By default the pre-5.3.0 switches act as passive switches, since they accept incoming authentication requests. Regardless of the policy, E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port. OFF: This setting turns off the policy. The switch will not support authentication and rejects any authentication negotiation request from another switch. A switch with the policy turned OFF cannot be connected to a switch with the policy turned ON. The ON state is strict and disables the port if any switch rejects the authentication. DH-CHAP shared secrets must be configured before changing the policy from the OFF to the ON state. The behavior of the policy between two adjacent switches is defined as follows. If the policy is ON or active, the switch will send an authentication negotiation request to the connecting switch. If the connecting switch does not support authentication or the policy is OFF, the request will be rejected. Once the authentication negotiation succeeds, the DH-CHAP authentication will be initiated. If DH-CHAP authentication fails, the port is disabled and this is applicable in all modes of the policy. Device authentication policy Device authentication policy can also be categorized as an HBA authentication policy. Fabric-wide distribution of the device authentication policy is not supported since the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol. By default the switch will be in OFF state, which means the switch will clear the security bit in the FLOGI (fabric login). The authutil command provides an option to change the device policy mode to select PASSIVE policy, which means switch responds to authentication from any device and does not initiates authentication to devices. switch:admin> --policy -dev The following lists available policy modes and properties. OFF (Default): Authentication is not required. Even if a device sends FLOGI with security bit set, switch accepts the FLOGI with security bit OFF. In this case, switch assumes no further authentication requests from device. PASSIVE: Authentication is optional. If the attached device is capable of doing the authentication, the switch participates in authentication; otherwise it will form an F_Port without authentication. In PASSIVE mode, an F_Port will be disabled if the HBA shared secret does not match with the secret installed on the switch. If the secret provided by the switch does not match the secrets installed on the HBA then the HBA will disable the port on its side. On any authentication handshaking rejection, the switch will disable the F_Port with reason Authentication rejected. Since the F_Port authentication requires DH-CHAP protocol, selecting the PASSIVE mode will be blocked if only FCAP protocol is selected as the authentication protocol. Similarly de-selecting the DH-CHAP protocol from the authentication protocol list will be blocked if the device authentication is set to PASSIVE. Auth policy restrictions Fabric OS 5.1.0 implementation of DH-CHAP/FCAP does not support integration with RADIUS. All fabric element authentication configurations are performed on a local switch basis. Device authentication policy supports devices that are connected to the switch in point-to-point manner and is visible to the entire fabric. The following are not supported: • Public loop devices • Single private devices • Private loop devices • Mixed public and private devices in loop • NPIV devices • FICON channels • Configupload/download will not be supported for the following AUTH attributes: auth type, hash type, group type. 120 Configuring advanced security features