Brocade Communications Systems 53-1001763-02 사용자 설명서
Fabric OS Administrator’s Guide
147
53-1001763-02
Authentication policy for fabric elements
7
Device authentication policy
Device authentication policy can also be categorized as an F_Port, node port, or an HBA
authentication policy. Fabric-wide distribution of the device authentication policy is not supported
because the device authentication requires manual interaction in setting the HBA shared secrets
and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in
the DH-CHAP protocol.
authentication policy. Fabric-wide distribution of the device authentication policy is not supported
because the device authentication requires manual interaction in setting the HBA shared secrets
and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in
the DH-CHAP protocol.
By default the switch is in the OFF state, which means the switch clears the security bit in the FLOGI
(fabric login). The authUtil command provides an option to change the device policy mode to select
PASSIVE policy, which means the switch responds to authentication from any device and does not
initiate authentication to devices. When the policy is set to ON, the switch expects a FLOGI with the
FC-SP bit set. If not, the switch rejects the FLOGI with reason LS_LOGICAL_ERROR (0x03),
explanation “Authentication Required”(0x48), and disables the port. Regardless of the policy, the
F_Port is disabled if the DH-CHAP protocol fails to authenticate. If the HBA sets the FC-SP bit during
FLOGI and the switch sends a FLOGI accept with the FC-SP bit set, then the switch expects the HBA
to start the AUTH_NEGOTIATE. From this point on until the AUTH_NEGOTIATE is completed, all ELS
and CT frames, except the AUTH_NEGOTIATE ELS frame, are blocked by the switch. During this
time, the Fibre Channel driver rejects all other ELS frames. The F_Port does not form until the
AUTH_NEGOTIATE is completed. It is the HBA's responsibility to send an Authentication Negotiation
ELS frame after receiving the FLOGI accept frame with the FC-SP bit set.
(fabric login). The authUtil command provides an option to change the device policy mode to select
PASSIVE policy, which means the switch responds to authentication from any device and does not
initiate authentication to devices. When the policy is set to ON, the switch expects a FLOGI with the
FC-SP bit set. If not, the switch rejects the FLOGI with reason LS_LOGICAL_ERROR (0x03),
explanation “Authentication Required”(0x48), and disables the port. Regardless of the policy, the
F_Port is disabled if the DH-CHAP protocol fails to authenticate. If the HBA sets the FC-SP bit during
FLOGI and the switch sends a FLOGI accept with the FC-SP bit set, then the switch expects the HBA
to start the AUTH_NEGOTIATE. From this point on until the AUTH_NEGOTIATE is completed, all ELS
and CT frames, except the AUTH_NEGOTIATE ELS frame, are blocked by the switch. During this
time, the Fibre Channel driver rejects all other ELS frames. The F_Port does not form until the
AUTH_NEGOTIATE is completed. It is the HBA's responsibility to send an Authentication Negotiation
ELS frame after receiving the FLOGI accept frame with the FC-SP bit set.
Virtual Fabric considerations: Because the device authentication policy has switch and logical
switch-based parameters, each logical switch is set when Virtual Fabrics is enabled. Authentication
is enforced based on each logical switch’s policy settings.
switch-based parameters, each logical switch is set when Virtual Fabrics is enabled. Authentication
is enforced based on each logical switch’s policy settings.
Configuring device authentication
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the authUtil command to set the device policy mode.
Example of setting the Device policy to passive mode:
switch:admin> authutil --policy -dev passive
Warning: Activating the authentication policy requires
DH-CHAP secrets on both switch and device. Otherwise,
the F-port will be disabled during next F-port
bring-up.
ARE YOU SURE (yes, y, no, n): [no] y
Device authentication is set to PASSIVE
Warning: Activating the authentication policy requires
DH-CHAP secrets on both switch and device. Otherwise,
the F-port will be disabled during next F-port
bring-up.
ARE YOU SURE (yes, y, no, n): [no] y
Device authentication is set to PASSIVE
AUTH policy restrictions
All fabric element authentication configurations are performed on a local switch basis.
Device authentication policy supports devices that are connected to the switch in point-to-point
manner and is visible to the entire fabric. The following are not supported:
manner and is visible to the entire fabric. The following are not supported:
•
Public loop devices
•
Single private devices
•
Private loop devices
•
Mixed public and private devices in loop
•
NPIV devices