Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)
Send feedback to nx5000-docfeedback@cisco.com
44-3
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
OL-16597-01
Chapter 44 Configuring FC-SP and DHCHAP
DHCHAP
DHCHAP is a mandatory password-based, key-exchange authentication protocol that supports both
switch-to-switch and host-to-switch authentication. DHCHAP negotiates hash algorithms and DH
groups before performing authentication. It supports MD5 and SHA-1 algorithm-based authentication.
To configure DHCHAP authentication using the local password database, perform this task:
Step 1 Enable DHCHAP.
Step 2 Identify and configure the DHCHAP authentication modes.
Step 3 Configure the hash algorithm and DH group.
Step 4 Configure the DHCHAP password for the local switch and other switches in the fabric.
Step 5 Configure the DHCHAP timeout value for reauthentication.
Step 6 Verify the DHCHAP configuration.
This section includes the following topics:
• DHCHAP Compatibility with Fibre Channel Features, page 44-3
• About Enabling DHCHAP, page 44-4
• Enabling DHCHAP, page 44-4
• About DHCHAP Authentication Modes, page 44-4
• Configuring the DHCHAP Mode, page 44-5
• About the DHCHAP Hash Algorithm, page 44-5
• Configuring the DHCHAP Hash Algorithm, page 44-6
• About the DHCHAP Group Settings, page 44-6
• Configuring the DHCHAP Group Settings, page 44-6
• About the DHCHAP Password, page 44-6
• Configuring DHCHAP Passwords for the Local Switch, page 44-7
• About Password Configuration for Remote Devices, page 44-7
• Configuring DHCHAP Passwords for Remote Devices, page 44-8
• About the DHCHAP Timeout Value, page 44-8
• Configuring the DHCHAP Timeout Value, page 44-8
• Configuring DHCHAP AAA Authentication, page 44-9
• Displaying Protocol Security Information, page 44-9
DHCHAP Compatibility with Fibre Channel Features
This section identifies the impact of configuring the DHCHAP feature along with existing Cisco NX-OS
features:
• SAN port channel interfaces—If DHCHAP is enabled for ports belonging to a SAN port channel,
DHCHAP authentication is performed at the physical interface level, not at the port channel level.
• Port security or fabric binding—Fabric-binding policies are enforced based on identities
authenticated by DHCHAP.