About The Dhchap Group Settings; Configuring The Dhchap Group Settings; About The Dhchap Password - Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual

Chapter 38 Configuring FC-SP and DHCHAP
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

About the DHCHAP Group Settings

All switches in the Cisco MDS Family support all DHCHAP groups specified in the standard: 0 (null
DH group, which does not perform the Diffie-Hellman exchange), 1, 2, 3, or 4.
If you change the DH group configuration, change it globally for all switches in the fabric.
Tip

Configuring the DHCHAP Group Settings

To change the DH group settings, follow these steps:
Command
Step 1
switch# config t
Step 2
switch(config)# fcsp dhchap
group 2 3 4
switch(config)# no fcsp dhchap
group 0

About the DHCHAP Password

DHCHAP authentication in each direction requires a shared secret password between the connected
devices. To do this, you can use one of three approaches to manage passwords for all switches in the
fabric that participate in DHCHAP.
•
•
•
All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted.
Note
We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to
Tip
use a local password database, you can continue to do so using Approach 3 and using the Cisco MDS
9000 Family Fabric Manager to manage the password database.
OL-18084-01, Cisco MDS NX-OS Release 4.x
Approach 1—Use the same password for all switches in the fabric. This is the simplest approach.
When you add a new switch, you use the same password to authenticate that switch in this fabric. It
is also the most vulnerable approach if someone from the outside maliciously attempts to access any
one switch in the fabric.
Approach 2—Use a different password for each switch and maintain that password list in each
switch in the fabric. When you add a new switch, you create a new password list and update all
switches with the new list. Accessing one switch yields the password list for all switches in that
fabric.
Approach 3—Use different passwords for different switches in the fabric. When you add a new
switch, multiple new passwords corresponding to each switch in the fabric must be generated and
configured in each switch. Even if one switch is compromised, the password of other switches are
still protected. This approach requires considerable password maintenance by the user.
Purpose
Enters configuration mode.
Prioritizes the use of DH group 2, 3, and 4 in the configured order.
Reverts to the DHCHAP factory default order of 0, 4, 1, 2, and 3.
Cisco MDS 9000 Family CLI Configuration Guide
DHCHAP
38-7