Configuring dh-chap shared secrets – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 308
By default the policy is set to PASSIVE and you can change the policy. All changes to the AUTH policy
take effect during the next authentication request. This includes starting authentication on all E_Ports
on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication
requirement if the policy is changed to OFF.
Authentication policy configuration is not distributed across the cluster. The RBridge ID of the node
should be used to configure protocol and policy configurations.
You can set the authentication policy to any of the values listed in the following table. The remaining
attributes are optional.
User account attributes
TABLE 54
Setting
Description
ON
Strict authentication is enforced on all E_Ports. During switch initialization, authentication is
initiated on all E_Ports automatically. The authentication handshaking is completed before the
switches exchange the fabric parameters (EFP) for E_Port bring-up. If the connecting switch
does not support the authentication or the policy is turned off, all ports are disabled and the ISL
goes down.
ACTIVE
A switch with an ACTIVE policy is more tolerant and can connect to a device with any type of
policy. During switch initialization, authentication is initiated on all E_Ports, but the port is not
disabled if the connecting switch does not support authentication, or if the authentication policy is
turned off.
PASSIVE
(default)
The switch does not initiate authentication, but participates in authentication if the connecting
switch initiates authentication. The switch does not start authentication on E_Ports, but accepts
the incoming authentication requests, and will not be disabled if the connecting switch does not
support authentication or the policy is turned off.
OFF
The switch does not support authentication, and rejects any authentication negotiation request
from a neighbor switch or device. A switch with the policy set to OFF should not be connected to
a switch with a policy set to ON. A policy set to ON policy is strict and disables the port if a peer
rejects the authentication. DH CHAP shared secrets must be configured on both sides of the
connection before you can change the policy from an OFF state to an ON state.
The behavior of the policy between two adjacent switches is defined as follows:
• If the policy is ON or ACTIVE, the switch sends an Authentication Negotiation request to the
connecting device.
• If the connecting device does not support authentication or the policy is OFF, the request is
rejected.
• Once the authentication negotiation succeeds, the DH-CHAP authentication is initiated. If DH-CHAP
authentication fails, the port is disabled, regardless of the policy settings.
The policy defines the responses of the host if the connecting switch does not support authentication.
By default, the policy is set to PASSIVE and you can change the policy with the fcsp auth command.
This includes starting authentication on all E_Ports if the policy is changed to ON or ACTIVE, and
clearing the authentication if the policy is changed to OFF. Before enabling the policy, you must install
the DH-CHAP shared secrets. Refer to
Configuring DH-CHAP shared secrets
Configuring DH-CHAP shared secrets
To configure the DH-CHAP shared secrets, execute the fcsp auth-secret command in privileged
EXEC mode. Provide the following information as shown in the example:
Configuring DH-CHAP shared secrets
308
Network OS Administrator’s Guide
53-1003225-04