E_Port Authentication - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 6.0.0
and later along with pre-6.0.0 switches. The policy states PASSIVE and OFF allow connection from
Fabric OS 6.0.0 and later switches to pre-6.0.0 switches. These policy states do not allow switches to send
the authentication negotiation and therefore continue with the rest of port initialization.
Virtual Fabric considerations: If a Virtual Fabric is enabled, all AUTH module parameters such as shared
secrets, and shared switch and device policies, are Logical Switch-wide. That means you must configure
shared secrets and policies separately on each Logical Switch and the shared secrets and policies must be
set on each switch prior to authentication. On Logical Switch creation, authentication takes default values
for policies and other parameters.

E_Port authentication

The authentication (AUTH) policy allows you to configure DH-CHAP authentication on the switch. By default
the policy is set to PASSIVE and you can change the policy using the authUtil command. All changes to
the AUTH policy take effect during the next authentication request. This includes starting authentication on
all E_Ports on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication if
the policy is changed to OFF. The authentication configurations will be effective only on subsequent E_ and
F_Port initialization.
Virtual Fabric considerations: The switch authentication policy applies to all E_Ports in a Logical Switch. This
includes ISLs and extended ISLs. Authentication of extended ISLs between two base switches is considered
peer-chassis authentication. Authentication between two physical entities is required, so the extended ISL
that connects the two chassis needs to be authenticated. The corresponding extended ISL for a logical ISL
authenticates the peer-chassis, therefore the logical ISL authentication is not required. Since the logical ISLs
do not carry actual traffic, they do not need to be authenticated. Authentication on re-individualization is
also blocked on logical ISLs. The following error message is printed on the console when you execute the
authUtil –-authinit command on logical-ISLs, Failed to initiate authentication.
Authentication is not supported on logical ports <port#>. For more information on
Virtual Fabrics, see Chapter 6,
A secret key pair has to be installed prior to changing the policy. The policy can be configured as follows:
switch:admin>
IMPORTANT:
without completion and your entire input is lost.
If a failover occurs and data input has been completed and the Enter key pressed, data may or may not be
replicated to the other CP depending on the timing of the failover. Log in to the other CP after the failover
is complete and verify that the data was saved. If data was not saved, run the command again.
The following are the available policy modes and properties:
ON
ACTIVE
"Managing virtual
authutil –-policy -sw
If data input has not been completed and a failover occurs, the command is terminated
Setting the AUTH policy to ON means that strict authentication is enforced on all
E_Ports. If the connecting switch does not support authentication or the policy is
switched to the OFF state, the ISL is disabled.
During switch initialization, authentication begins automatically on all E_Ports. To
enforce this policy fabric-wide, the fabric needs to have Fabric OS 5.3.0 and later
switches only. The switch disables the port if it is connected to a switch which does not
support authentication. Regardless of the policy, the E_Port is disabled if the
DH-CHAP or FCAP protocol fails to authenticate the attached E_Port.
In this state the switch is more tolerant and can connect to a switch with any type of
policy. During switch initialization, authentication begins on all E_Ports, but the port is
not disabled if the connecting switch does not support authentication or the AUTH
policy is turned to the OFF state.
fabrics" on page 173.
<ON|ACTIVE|PASSIVE|OFF>
Fabric OS 6.2 administrator guide 129