Fabric OS Administrator’s Guide 145
53-1001763-02
Authentication policy for fabric elements 7
The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This
policy is persistent across reboots, which means authentication will be initiated automatically on
ports or switches brought online if the policy is set to activate authentication. The AUTH policy is
distributed by command; automatic distribution of the AUTH policy is not supported.
The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second.
The switch may be configured to negotiate FCAP, DH-CHAP, or both.
The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group
information, but does not use it.
Virtual Fabric considerations: If a Virtual Fabric is enabled, all AUTH module parameters such as
shared secrets, and shared switch and device policies, are logical switch-wide. That means you
must configure shared secrets and policies separately on each logical switch and the shared
secrets and policies must be set on each switch prior to authentication. On logical switch creation,
authentication takes default values for policies and other parameters. FCAP certificates are
installed on a chassis, but are configured on each logical switch.

E_Port authentication

The authentication (AUTH) policy allows you to configure DH-CHAP authentication on switches with
Fabric OS v5.3.0 and later. By default the policy is set to PASSIVE and you can change the policy. All
changes to the AUTH policy take effect during the next authentication request. This includes
starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE,
and clearing the authentication if the policy is changed to OFF. The authentication configurations
will be effective only on subsequent E_ and F_Port initialization.
ATTENTION
A secret key pair has to be installed prior to changing the policy. For more information on setting up
secret key pairs, refer to “Setting a secret key pair” on page 149.
Virtual Fabric considerations: The switch authentication policy applies to all E_Ports in a logical
switch. This includes ISLs and extended ISLs. Authentication of extended ISLs between two base
switches is considered peer-chassis authentication. Authentication between two physical entities is
required, so the extended ISL which connects the two chassis needs to be authenticated. The
corresponding extended ISL for a logical ISL authenticates the peer-chassis, therefore the logical
ISL authentication is not required. Because the logical ISLs do not carry actual traffic, they do not
need to be authenticated. Authentication on re-individualization is also blocked on logical ISLs. The
following error message is printed on the console when you execute the authUtil –-authinit
command on logical-ISLs, “Failed to initiate authentication. Authentication is not supported on
logical ports <port#>”. For more information on Virtual Fabrics, refer to Chapter 10, “Managing
Virtual Fabrics”.

Configuring E_Port authentication

1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the authUtil command to set the switch policy mode.
Example of configuring E_Port authentication
The following example shows how to enable a Virtual Fabric and configure the E_Ports to perform
authentication using the AUTH policies authUtil command.
switch:admin> fosconfig -enable vf