Auth Policy Restrictions; Supported Hbas; Authentication Protocols - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

PASSIVE
ON
Virtual Fabric considerations: Because the device authentication policy has switch- and Logical
Switch-based parameters, each Logical Switch is set when Virtual Fabrics is enabled. Authentication is
enforced based on each Logical Switch's policy settings.

AUTH policy restrictions

Fabric OS 5.1.0 implementation of DH-CHAP/FCAP does not support integration with RADIUS. All fabric
element authentication configurations are performed on a local switch basis.
Device authentication policy supports devices that are connected to the switch in point-to-point manner and
is visible to the entire fabric. The following are not supported:
• Public loop devices
• Single private devices
• Private loop devices
• Mixed public and private devices in loop
• NPIV devices
• FICON channels
• The configupload and configdownload commands are not supported for the following AUTH
attributes: auth type, hash type, group type.

Supported HBAs

The following HBAs support authentication:
• Emulex LP1 1000 (Tested with Storport Miniport 2.0 windows driver)
• Qlogic QLA2300 (Tested with Solaris 5.04 driver)

Authentication protocols

Use the authUtil command to perform the following tasks:
• Display the current authentication parameters.
• Select the authentication protocol used between switches.
• Select the DH (Diffie-Hellman) group for a switch.
Run the authUtil command on the switch you want to view or change. Below are the different options to
specify which DH group you want to use.
Authentication is optional. If the attached device is capable of doing the
authentication, the switch participates in authentication; otherwise it forms an F_Port
without authentication.
In PASSIVE mode, an F_Port is disabled if the HBA shared secret does not match with
the secret installed on the switch. If the secret provided by the switch does not match
the secrets installed on the HBA, the HBA disables the port on its side. On any
authentication handshaking rejection, the switch disables the F_Port with reason
Authentication rejected.
Since the F_Port authentication requires DH-CHAP protocol, selecting the PASSIVE
mode is blocked only if FCAP protocol is selected as the authentication protocol.
Similarly de-selecting the DH-CHAP protocol from the authentication protocol list is
blocked if the device authentication is set to PASSIVE.
Strict authentication is enforced on F_Ports. The port is disabled if the connecting
device sends an FLOGI with the FC-SP bit cleared. The port is disabled with the
reason "Authentication required" and a RASlog event is generated.
After the device policy is set to ON on the switch, the mandatory authentication is
enforced only on new FLOGI requests. Exiting ports are not forced to re-log in and
re-authenticate.
If you downgrade to a version of Fabric OS earlier than 6.2.0, the ON mode is
automatically set to OFF.
Fabric OS 6.2 administrator guide 131