DHCHAP
S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
Tip
If you change the hash algorithm configuration, then change it globally for all switches in the fabric.
RADIUS and TACACS+ protocols always use MD5 for CHAP authentication. Using SHA-1 as the hash
Caution
algorithm may prevent RADIUS and TACACS+ usage, even if these AAA protocols are enabled for
DHCHAP authentication.
Configuring the DHCHAP Hash Algorithm
To configure the hash algorithm, perform this task:
Command
Step 1
switch# configuration terminal
Step 2
switch(config)# fcsp dhchap hash
[md5] [sha1]
switch(config)# no fcsp dhchap hash
sha1
About the DHCHAP Group Settings
All Cisco Nexus 5000 Series switches support all DHCHAP groups specified in the standard: 0 (null DH
group, which does not perform the Diffie-Hellman exchange), 1, 2, 3, or 4.
If you change the DH group configuration, change it globally for all switches in the fabric.
Tip
Configuring the DHCHAP Group Settings
To change the DH group settings, perform this task:
Command
Step 1
switch# configuration terminal
Step 2
switch(config)# fcsp dhchap
dhgroup [0 | 1 | 2 | 3 | 4]
switch(config)# no fcsp dhchap
dhgroup [0 | 1 | 2 | 3 | 4]
About the DHCHAP Password
DHCHAP authentication in each direction requires a shared secret password between the connected
devices. To do this, you can use one of three configurations to manage passwords for all switches in the
fabric that participate in DHCHAP:
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
44-6
Purpose
Enters configuration mode.
Configures the use of the the MD5 or SHA-1 hash
algorithm.
Reverts to the factory default priority list of the MD5
hash algorithm followed by the SHA-1 hash algorithm.
Purpose
Enters configuration mode.
Prioritizes the use of DH groups in the configured order.
Reverts to the DHCHAP factory default order of 0, 4, 1, 2, and 3.
Chapter 44
Configuring FC-SP and DHCHAP
OL-16597-01