The authentication model
Fabric OS 6.0.0 and later versions support the use of both the local user database and the remote
authentication dial-in user service (RADIUS) at the same time. and the local user database and lightweight
directory access protocol (LDAP) using Microsoft Active Directory in Windows at the same time.
When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS
or LDAP client. The switch sends all authentication, authorization, and accounting (AAA) service requests to
the RADIUS or LDAP server. The RADIUS or LDAP server receives the request, validates the request, and
sends its response back to the switch.
The supported management access channels that integrate with RADIUS and LDAP include serial port,
Telnet, SSH, Web Tools, and API. All these require the switch IP address or name to connect. The RADIUS
server accepts both IPv4 and IPv6 address formats, while the LDAP server accepts only an IPv4 address.
A switch can be configured to try both RADIUS or LDAP and local switch authentication.
For systems such as the HP StorageWorks 4/256 SAN Director and HP StorageWorks DC SAN Backbone
Director enterprise-class platforms, the switch IP addresses are aliases of the physical Ethernet interfaces on
the CP blades. When specifying client IP addresses for the Logical Switches in such systems, make sure the
CP IP addresses are used. For accessing both the active and standby CP, and for the purpose of HA
failover, both CP IP addresses of a director should be included in the RADIUS or LDAP server configuration.
When configured for RADIUS or LDAP, a switch becomes a RADIUS or LDAP client. In either of these
configurations, authentication records are stored in the RADIUS or LDAP host server database. Login and
logout account name, assigned role, and time-accounting records are also stored on the RADIUS or LDAP
server for each user.
By default, the RADIUS and LDAP services are disabled, so AAA services default to the switch local
To enable RADIUS or LDAP service, HP recommends that you access the CLI through an SSH connection so
that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last
session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after
a reboot or an HA failover.
To enable LDAP service, you will need to install a certificate on the Microsoft Active Directory server.
The configuration applies to all switches and on a director the configuration replicates itself on a standby
CP blade if one is present. It is saved in a configuration upload and applied in a configuration download.
You should configure at least two RADIUS servers so that if one fails, the other will assume service.
You can set the configuration with both RADIUS or LDAP service and local authentication enabled so that if
the RADIUS or LDAP servers do not respond due to power failure or network problems, the switch uses
Effects of using RADIUS or LDAP service on Fabric OS features
Consider the following effects of the use of RADIUS or LDAP service on other Fabric OS features:
When RADIUS or LDAP service is enabled, all account passwords must be managed on the RADIUS or
LDAP server. The Fabric OS mechanisms for changing switch passwords remain functional; however,
such changes affect only the involved switches locally. They do not propagate to the RADIUS or LDAP
server, nor do they affect any account on the RADIUS or LDAP server.
When RADIUS or LDAP is set up for a fabric that contains a mix of switches with and without RADIUS
or LDAP support, the way a switch authenticates users depends on whether a RADIUS or LDAP server is
set up for that switch. For a switch with RADIUS or LDAP support and configuration, authentication
bypasses the local password database. For a switch without RADIUS or LDAP support or configuration,
authentication uses the switch's local account names and passwords.
The following behaviors apply to Web Tools:
• Web Tools client and server keep a session open after a user is authenticated. A password
change on a switch invalidates an open session and requires the user to log in again. When
integrated with RADIUS or LDAP, a switch password change on the RADIUS or LDAP server does
not invalidate an existing open session, although a password change on the local switch does.
Fabric OS 6.2 administrator guide