Virtual fabrics considerations, E_port authentication – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual
Page 222
The peer secret uniquely identifies the entity to which the local switch authenticates. Every switch can
share a secret key pair with any other switch or host in a fabric.
To use DH-CHAP authentication, a secret key pair has to be configured on both switches. For more
information on setting up secret key pairs, refer to
on page 228.
When configured, the secret key pair is used for authentication. Authentication occurs whenever there
is a state change for the switch or port. The state change can be due to a switch reboot, a switch or
port disable and enable, or the activation of a policy.
FIGURE 14 DH-CHAP authentication
If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric
elements. However, as connections are changed, new secret key pairs must be installed between
newly connected elements. Alternatively, asecret key pair for all possible connections may be initially
installed, enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any
new connection.
The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This
policy is persistent across reboots, which means authentication will be initiated automatically on ports
or switches brought online if the policy is set to activate authentication. The AUTH policy is distributed
by command; automatic distribution of the AUTH policy is not supported.
The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second.
The switch may be configured to negotiate FCAP, DH-CHAP, or both.
The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group
information, but does not use it.
Virtual Fabrics considerations
If Virtual Fabrics is enabled, all AUTH module parameters such as shared secrets, and shared switch
and device policies, are logical switch-wide. That means you must configure shared secrets and
policies separately on each logical switch and the shared secrets and policies must be set on each
switch prior to authentication. On logical switch creation, authentication takes default values for
policies and other parameters. FCAP certificates are installed on a chassis, but are configured on
each logical switch.
E_Port authentication
The authentication (AUTH) policy allows you to configure DH-CHAP authentication on switches with
Fabric OS v5.3.0 and later. By default the policy is set to PASSIVE and you can change the policy. All
Virtual Fabrics considerations
222
Fabric OS Administrators Guide
53-1003130-01