beautypg.com

Configuring fabric authentication, Fabric authentication overview, Dh-chap – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 303: Shared secret keys, Dh-chap shared secret keys

background image

Configuring Fabric Authentication

Fabric authentication overview......................................................................................303

Understanding fabric authentication..............................................................................307

Configuring port security............................................................................................... 314

Fabric authentication overview

When you connect a Brocade VCS Fabric to a Fabric OS fabric, the Network OS Fibre Channel E_Ports
on the Brocade VDX 6730 connect through Inter-Switch Links (ISLs) to EX_Ports on an FC router,
which in turn connects to the Fabric OS network as shown in

Fibre Channel ports overview

on page

199.

To ensure that no unauthorized devices can access the fabric, Network OS provides support for
security policies and protocols capable of authenticating Network OS (E_Ports) to the EX_Ports on the
FC router (FCR) that provides access to the SAN storage and services.

DH-CHAP

Network OS uses the Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) to
control access between devices. DH-CHAP is a password-based, key exchange authentication protocol
that negotiates hash algorithms and Diffie Hellman (DH) groups before performing authentication. It
supports both MD5 and SHA-1 hash algorithm-based authentication.

The Fibre Channel Security Protocol (FC-SP) defines the DH groups supported in the DH-CHAP
protocol. Following current FC-SP standards, Network OS supports the following DH groups:

• 00 - DH Null option
• 01 - 1024 bit key
• 02 - 1280 bit key
• 03 - 1536 bit key
• 04 - 2048 bit key

To configure DH-CHAP authentication between Network OS switches (E_Ports) and FC routers
(EX_Ports) you must apply a matching configuration to both sides of the connection. Each device must
be configured locally.

NOTE
The Brocade VDX 6730-32 and VDX 6730-76 are the only platforms that can connect to an FC router
providing access to a SAN network of Fabric OS switches.

Shared secret keys

When you configure device ports for DH-CHAP authentication, you define a pair of shared secrets
known to both devices as a secret key pair. A key pair consists of a local secret and a peer secret. The
local secret uniquely identifies the local device. The peer secret uniquely identifies the entity to which

Network OS Administrator’s Guide

303

53-1003225-04