Upgrade And Downgrade Considerations; How To Set The Account Lockout Policy; Managing Fabric Os Users On The Radius Server; Switch To Radius Server Interaction - HP AA979A - StorageWorks SAN Switch 2/8V Administrator's Manual

Upgrade and downgrade considerations

If you are upgrading from a 5.0.x environment to 5.2.x, the existing password databases do not contain
the state information that implements password expiration. So, when the password expiration policy is first
set after an upgrade to 5.2.x, any user who has not changed their password will have their password
expiration period set to the maximum password expiration period. You must explicitly define the password
expiration for users who have not performed a password change subsequent to the upgrade.
For example:
• March 1st—Using a 5.0.x Fabric OS release. User A changes her password.
• April 1—Upgrade to 5.2.x
• May 1—User B changes his password.
• June 1—The password configuration parameter MaxPasswordAge is set to 90 days.
User A's password will expire on September 1. User B's password will expire on August 1.

How to set the account lockout policy

The account lockout policy disables a user account when that user exceeds a specified number of failed
login attempts, and is enforced across all user accounts. You can configure this policy to keep the account
locked until explicit administrative action is taken to unlock it, or the locked account can be automatically
unlocked after a specified period. Administrators can unlock a locked account at any time.
A failed login attempt counter is maintained for each user on each switch instance. The counters for all user
accounts are reset to zero when the account lockout policy is enabled. The counter for an individual
account is reset to zero when the account is unlocked after a LockoutDuration period expires.
Note that the account locked state is distinct from the account-disabled state.
Use the following attributes to set the account lockout policy:
•
LockoutThreshold
Specifies the number of times a user can attempt to login using an incorrect password before the
account is locked. The number of failed login attempts is counted from the last successful login.
LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the value to 0
disables the lockout mechanism.
•
LockoutDuration
Specifies the time, in minutes, after which a previously locked account is automatically unlocked.
LockoutDuration values range from 0 to 99999, and the default value is 30. Setting the value to 0
disables lockout duration, and would require a user to seek administrative action to unlock the account.
The lockout duration begins with the first login attempt after the LockoutThreshold has been reached.
Subsequent failed login attempts do not extend the lockout period.

Managing Fabric OS users on the RADIUS server

All existing Fabric OS mechanisms for managing switch-local user accounts and passwords remain
functional when the switch is configured to use RADIUS. Changes made to the switch-local database do
not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server.

Switch to RADIUS server interaction

When configured to use RADIUS, the switch acts as a Network Access Server (NAS) and RADIUS client.
The switch sends all AAA service requests to the RADIUS server, following the RFC 2865 protocol. The
RADIUS server receives the request packet, validates the request and sends responses packet back to the
switch.
A switch can be configured to try both RADIUS and local switch authentication.
For chassis-based systems such as the 4/256 SAN Director, the switch IP addresses are aliases of the
physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches
in such systems, make sure the CP IP addresses are used. For accessing both the active and standby CP,
and for the purpose of HA failover, both CP IP addresses of a chassis should be included in the RADIUS
server configuration.
66 Managing user accounts