Device Authentication Policy - HP StoreFabric SN6500B Administrator's Manual

7
Authentication policy for fabric elements
Re-authenticating E_Ports
Use the authUtil --authinit command to re-initiate the authentication on selected ports. It provides
flexibility to initiate authentication for specified E_Ports, a set of E_Ports, or all E_Ports on the
switch. This command does not work on loop, NPIV and FICON devices, or on ports configured for
in-flight encryption. The command authUtil can re-initiate authentication only if the device was
previously authenticated. If the authentication fails because shared secrets do not match, the port
is disabled.
This command works independently of the authentication policy; this means you can initiate the
authentication even if the switch is in PASSIVE mode. This command is used to restart
authentication after changing the DH-CHAP group, hash type, or shared secret between a pair of
switches.
ATTENTION
This command may bring down E_Ports if the DH-CHAP shared secrets are not installed correctly.
1. Log in to the switch using an account with admin permissions, or an account with OM
2. Enter the authUtil
Example for specific ports on the switch
Example for all E_Ports on the switch
Example for Backbones using the slot/port format

Device authentication policy

Device authentication policy can also be categorized as an F_Port, node port, or an HBA
authentication policy. Fabric-wide distribution of the device authentication policy is not supported
because the device authentication requires manual interaction in setting the HBA shared secrets
and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in
the DH-CHAP protocol.
NOTE
Authentication is supported from Brocade fabric switches in native mode to Access Gateway
switches and from Access Gateway switches to HBAs. For more information, refer to the Access
Gateway Administrator's Guide, Supporting Fabric OS v7.1.0
By default the devicepolicy is in the OFF state, which means the switch clears the security bit in the
FLOGI (fabric login). The authUtil command provides an option to change the device policy mode to
select PASSIVE policy, which means the switch responds to authentication from any device and
does not initiate authentication to devices. When the policy is set to ON, the switch expects a FLOGI
with the FC-SP bit set. If not, the switch rejects the FLOGI with reason LS_LOGICAL_ERROR (0x03),
explanation "Authentication Required"(0x48), and disables the port. Regardless of the policy, the
F_Port is disabled if the DH-CHAP protocol fails to authenticate. If the HBA sets the FC-SP bit during
FLOGI and the switch sends a FLOGI accept with the FC-SP bit set, then the switch expects the HBA
to start the AUTH_NEGOTIATE. From this point on until the AUTH_NEGOTIATE is completed, all ELS
210
permissions for the Authentication RBAC class of commands.
authinit command.
–-
switch:admin> authutil –-authinit 2,3,4
switch:admin> authutil –-authinit allE
switch:admin> authutil –-authinit 1/1, 1/2
Fabric OS Administrator's Guide
53-1002745-02