Virtual fabrics support, Device authentication support, Supported policy modes – Brocade Access Gateway Administrator's Guide (Supporting Fabric OS v7.3.0) User Manual

Virtual Fabrics support

Although you cannot enable AG mode on a switch enabled for Virtual Fabrics or enable Virtual Fabrics
on an AG switch, you can connect ports on an AG switch to Virtual Fabrics.

Device authentication support

Devices use authentication as a mechanism to log in into switches only after exchanging DH_CHAP
authorization keys. This prevents any unauthorized device from logging into switch and fabric by
default.

Authentication policy is supported in the following configurations for Access Gateway switches.
Regardless of the enabled policy, the AG port disables if the DH-CHAP or FCAP fails to authenticate
each other.

•

Access Gateway switch N_Port connected to Brocade fabric switch F_Port. The N_Port should
enable authentication when authentication is enabled on the connected switch. This can be done
by enabling switch policy on the AG switch and device policy on the fabric switch.

•

Access Gateway switch F_Port connected to an HBA. The F_Port also should enable
authentication when the connected device is sending login request with authentication enabled.
This is done by enabling device policy on the AG switch.

By default, Brocade switches use DH-CHAP or FCAP authentication protocols. For authentication
between fabric switches and AG switches, FCAP and DH-CHAP are used. If an FCAP certificate is
present on the AG switch and fabric switch, FCAP has precedence over DHCAP. For authentication
between AG switches and HBAs, DH-CHAP is used because the HBA only supports DH-CHAP.

For details on installing FCAP certificates and creating DHCAP secrets on the switch in AG or native
mode, refer to the Fabric OS Administrator’s Guide or Fabric OS Command Reference.

For general information on authentication, refer to the section on authentication policy for fabric
elements in the "Configuring Security Policies" chapter of the Fabric OS Administrator’s Guide.

Supported policy modes

The following switch and device policy modes are supported by Access Gateway:

•

On - Strict authentication will be enforced on all ports. The ports on the AG connected to the switch
or device will disable if the connecting switch or device does not support authentication or the
policy mode is set to off. During AG initialization, authentication initiates on all ports automatically.

•

Off - The AG switch does not support authentication and rejects any authentication negotiation
request from the connected fabric switch or HBA. A fabric switch with the policy mode set to off
should not be connected to an AG switch with policy mode set to on since the on policy is strict.
This will disable the port if any switch rejects the authentication. You must configure DH-CHAP
shared secrets or install FCAP certificates on the AG and connected fabric switch before switching
from a policy "off" mode to policy "on" mode. Off is the default mode for both switch and device
policy.

•

Passive - The AG does not initiate authentication when connected to a device, but participates in
authentication if the connecting device initiates authentication. The AG will not initiate
authentication on ports, but accepts incoming authentication requests. Authentication will not
disable AG F_Ports if the connecting device does not support authentication or the policy mode is
set to off. Passive mode is the safest mode to use for devices connected to an AG switch if the
devices do not support authentication.

To perform authentication with switch policy, the on and off policy modes are supported on the AG
switch. To perform authentication with device policy, the on, off, and passive modes are supported on
the AG switch.

Virtual Fabrics support

Access Gateway Administrator's Guide

17

53-1003126-01