Brocade Communications Systems 53-1001763-02 E

Fabric OS Administrator’s Guide 145

53-1001763-02

Authentication policy for fabric elements 7

The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This

policy is persistent across reboots, which means authentication will be initiated automatically on

ports or switches brought online if the policy is set to activate authentication. The AUTH policy is

distributed by command; automatic distribution of the AUTH policy is not supported.

The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second.

The switch may be configured to negotiate FCAP, DH-CHAP, or both.

The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group

information, but does not use it.

Virtual Fabric considerations: If a Virtual Fabric is enabled, all AUTH module parameters such as

shared secrets, and shared switch and device policies, are logical switch-wide. That means you

must configure shared secrets and policies separately on each logical switch and the shared

secrets and policies must be set on each switch prior to authentication. On logical switch creation,

authentication takes default values for policies and other parameters. FCAP certificates are

installed on a chassis, but are configured on each logical switch.

E_Port authentication

The authentication (AUTH) policy allows you to configure DH-CHAP authentication on switches with

Fabric OS v5.3.0 and later. By default the policy is set to PASSIVE and you can change the policy. All

changes to the AUTH policy take effect during the next authentication request. This includes

starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE,

and clearing the authentication if the policy is changed to OFF. The authentication configurations

will be effective only on subsequent E_ and F_Port initialization.

ATTENTION

A secret key pair has to be installed prior to changing the policy. For more information on setting up

secret key pairs, refer to “Setting a secret key pair” on page 149.

Virtual Fabric considerations: The switch authentication policy applies to all E_Ports in a logical

switch. This includes ISLs and extended ISLs. Authentication of extended ISLs between two base

switches is considered peer-chassis authentication. Authentication between two physical entities is

required, so the extended ISL which connects the two chassis needs to be authenticated. The

corresponding extended ISL for a logical ISL authenticates the peer-chassis, therefore the logical

ISL authentication is not required. Because the logical ISLs do not carry actual traffic, they do not

need to be authenticated. Authentication on re-individualization is also blocked on logical ISLs. The

following error message is printed on the console when you execute the authUtil –-authinit

command on logical-ISLs, “Failed to initiate authentication. Authentication is not supported on

logical ports <port#>”. For more information on Virtual Fabrics, refer to Chapter 10, “Managing

Virtual Fabrics”.

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the authUtil command to set the switch policy mode.

Example of configuring E_Port authentication

The following example shows how to enable a Virtual Fabric and configure the E_Ports to perform

authentication using the AUTH policies authUtil command.

switch:admin> fosconfig -enable vf