Manualshelf

Administrator's Guide v4.1.1 Manual

ManualsBrandsBrocade ManualsComputer AccessoriesNetwork OS
301302303304305306307308309310
Configuring Fabric Authentication
Fabric authentication overview......................................................................................303
Understanding fabric authentication..............................................................................307
Configuring port security............................................................................................... 314
Fabric authentication overview
When you connect a Brocade VCS Fabric to a Fabric OS fabric, the Network OS Fibre Channel E_Ports
on the Brocade VDX 6730 connect through Inter-Switch Links (ISLs) to EX_Ports on an FC router,
which in turn connects to the Fabric OS network as shown in Fibre Channel ports overview on page
199.
To ensure that no unauthorized devices can access the fabric, Network OS provides support for
security policies and protocols capable of authenticating Network OS (E_Ports) to the EX_Ports on the
FC router (FCR) that provides access to the SAN storage and services.
DH-CHAP
Network OS uses the Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) to
control access between devices. DH-CHAP is a password-based, key exchange authentication protocol
that negotiates hash algorithms and Diffie Hellman (DH) groups before performing authentication. It
supports both MD5 and SHA-1 hash algorithm-based authentication.
The Fibre Channel Security Protocol (FC-SP) defines the DH groups supported in the DH-CHAP
protocol. Following current FC-SP standards, Network OS supports the following DH groups:
00 - DH Null option
01 - 1024 bit key
02 - 1280 bit key
03 - 1536 bit key
04 - 2048 bit key
To configure DH-CHAP authentication between Network OS switches (E_Ports) and FC routers
(EX_Ports) you must apply a matching configuration to both sides of the connection. Each device must
be configured locally.
NOTE
The Brocade VDX 6730-32 and VDX 6730-76 are the only platforms that can connect to an FC router
providing access to a SAN network of Fabric OS switches.
Shared secret keys
When you configure device ports for DH-CHAP authentication, you define a pair of shared secrets
known to both devices as a secret key pair. A key pair consists of a local secret and a peer secret. The
local secret uniquely identifies the local device. The peer secret uniquely identifies the entity to which
Network OS Administrator’s Guide
303
53-1003225-04