Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

221

222

223

224

225

226

227

228

229

230

Device authentication policy

Device authentication policy can also be categorized as an F_Port, node port, or an HBA authentication policy. Fabric-wide distribution of

the device authentication policy is not supported because the device authentication requires manual interaction in setting the HBA

shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP

protocol.

NOTE

Authentication is supported from Brocade fabric switches in native mode to Access Gateway switches and from Access

Gateway switches to HBAs. For more information, refer to the

Access Gateway Administrator's Guide

By default the devicepolicy is in the OFF state, which means the switch clears the security bit in the FLOGI (fabric login). The authUtil

command provides an option to change the device policy mode to select PASSIVE policy, which means the switch responds to

authentication from any device and does not initiate authentication to devices.

When the policy is set to ON, the switch expects a FLOGI with the FC-SP bit set. If not, the switch rejects the FLOGI with reason

LS_LOGICAL_ERROR (0x03), explanation "Authentication Required"(0x48), and disables the port. Regardless of the policy, the F_Port

is disabled if the DH-CHAP protocol fails to authenticate.

If the HBA sets the FC-SP bit during FLOGI and the switch sends a FLOGI accept with the FC-SP bit set, then the switch expects the

HBA to start the AUTH_NEGOTIATE. From this point on until the AUTH_NEGOTIATE is completed, all ELS and CT frames, except the

AUTH_NEGOTIATE ELS frame, are blocked by the switch. During this time, the Fibre Channel driver rejects all other ELS frames. The

F_Port does not form until the AUTH_NEGOTIATE is completed. It is the HBA's responsibility to send an Authentication Negotiation

ELS frame after receiving the FLOGI accept frame with the FC-SP bit set.

Virtual Fabrics considerations

Because the device authentication policy has switch and logical switch-based parameters, each logical switch is set when Virtual Fabrics

is enabled. Authentication is enforced based on each logical switch’s policy settings.

Configuring device authentication

1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the

Authentication RBAC class of commands.

2. Enter the authUtil command to set the device policy mode.

Example of setting the Device policy to passive mode

switch:admin> authutil --policy -dev passive

Warning: Activating the authentication policy requires

DH-CHAP secrets on both switch and device. Otherwise,

the F-port will be disabled during next F-port

bring-up.

ARE YOU SURE (yes, y, no, n): [no] y

Device authentication is set to PASSIVE

AUTH policy restrictions

All fabric element authentication configurations are performed on a local switch basis.

Device authentication policy supports devices that are connected to the switch in point-to-point manner and is visible to the entire fabric.

The following are not supported:

∙ Public loop devices

∙ Single private devices

Configuring Security Policies

Brocade Fabric OS Administration Guide, 8.0.1

230 53-1004111-02