beautypg.com

HP Brocade 4Gb SAN Switch for HP BladeSystem p-Class User Manual

Page 47

background image

Fabric OS 5.0.0 procedures user guide

47

Consider the following effects of the use of RADIUS service on other Fabric OS features:

When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The

Fabric OS mechanisms for changing switch passwords remain functional; however, such changes

affect only the involved switches locally. They do not propagate to the RADIUS server, nor do they

affect any account on the RADIUS server.

When RADIUS is set up for a fabric that contains a mix of switches running v4.4.0 and v3.2.0 or

earlier, the way a switch authenticates users depends on whether a RADIUS server is set up for that

switch. For a switch with RADIUS support and configuration, authentication bypasses the local

password database. For a switch without RADIUS support or configuration, authentication uses the

switch’s local account names and passwords.

When Secure Fabric OS secure mode is enabled, the following items apply:

• Account passwords are distributed among all switches in the same fabric. An account that resides

on several switches has the same password on all of them. This model applies with RADIUS

integration; however, such distribution affects only the switch’s local password database.

• There are separate admin and nonfcsadmin roles in secure mode. A nonfcsadmin account on a

RADIUS server cannot access FCS switches, even if the account is properly authenticated.

• If a nonfcsadmin account on a RADIUS server logs in to a switch in nonsecure mode, the switch

treats the role like the admin role, and grants the access.

The following items apply to Advanced Web Tools:

• Advanced Web Tools client and server keep a session open after a user is authenticated. A

password change on a switch invalidates an open session and requires the user to log in again.

When integrated with RADIUS, a switch password change on the RADIUS server does not

invalidate an existing open session, although a password change on the local switch does.

• If you cannot log in because of a RADIUS server connection problem, Advanced Web Tools

displays a message indicating server outage.

The following items apply to API:

• When an older version of the API host library authenticates against a switch with RADIUS support,

the host performs the login. However, the old host library does not recognize the role returned from

the switch, which can result in the host displaying an incorrect read or write attribute for an

account. The switch library performs the permission check again for individual API function calls.

• API provides functions for RADIUS configuration that share the behavior of the aaaConfig CLI

command.

The following items apply to both Advanced Web Tools and API:

• Users can log in using account names and passwords configured on the RADIUS server and gain

access with the switch roles defined there.

• Users can log in through API using account names and passwords configured on the RADIUS

server and gain access with the switch roles defined there.

• When a proxy switch is used, the switch-side component performs authentication on the proxy

switch, rather than on the destination switch. Therefore, to use RADIUS in this environment, you must

configure on the proxy switch.

See also other documents in the category HP Storage: