Device Security - Qlogic SANbox2-8c Installation Manual

Fibre channel switch

Hide thumbs Also See for SANbox2-8c:

Installation manual (184 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

Table of Contents

3 – Planning

Fabric Security

3.6.2

Device Security

Device security provides for the authorization and authentication of devices that

you attach to a switch. You can configure a switch with a group of devices against

which the switch authorizes new attachments by devices, other switches, or

devices issuing management server commands. Device security is configured

through the use of security sets and groups. A group is a list of device worldwide

names that are authorized to attach to a switch. There are three types of groups:

one for other switches (ISL), another for devices (port), and a third for devices

issuing management server commands (MS). A security set is a set of up to three

groups with no more than one of each group type. The security configuration is

made up of all security sets on the switch. The security database has the following

limits:

Maximum number of security sets is 4.

Maximum number of groups is 16.

Maximum number of members in a group is 1000.

Maximum total number of group members is 1000.

In addition to authorization, the switch can be configured to require authentication

to validate the identity of the connecting switch, device, or host. Authentication

can be performed locally using the switch's security database, or remotely using

a Remote Dial-In User Service (RADIUS) server such as Microsoft® RADIUS.

With a RADIUS server, the security database for the entire fabric resides on the

server. In this way, the security database can be managed centrally, rather than

on each switch. You can configure up to five RADIUS servers to provide failover.

You can configure the RADIUS server to authenticate just the switch or both the

switch and the initiator device if the device supports authentication. When using a

RADIUS server, every switch in the fabric must have a network connection. A

RADIUS server can also be configured to authenticate user accounts as

described in

required to authenticate user logins with a RADIUS server. Refer to

Security" on page 3-13

Consider the devices, switches, and management agents and evaluate the need

for authorization and authentication. Also consider whether the security database

is to distributed on the switches or centralized on a RADIUS server and how many

servers to configure.

The following examples illustrate how to configure a security database:

Security Example: Switches and HBAs

Security Example: RADIUS Server

Security Example: Host Authentication

3-14

"User Account Security" on page

for more information.

3-24. A secure connection is

"Connection

59042-08 A

Table of Contents

Device Security - Qlogic SANbox2-8c Installation Manual

Device Security

Related Manuals for Qlogic SANbox2-8c

Related Content for Qlogic SANbox2-8c

Table of Contents