Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)
Send feedback to nx5000-docfeedback@cisco.com
44-6
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
OL-16597-01
Chapter 44 Configuring FC-SP and DHCHAP
DHCHAP
Tip If you change the hash algorithm configuration, then change it globally for all switches in the fabric.
Caution RADIUS and TACACS+ protocols always use MD5 for CHAP authentication. Using SHA-1 as the hash
algorithm may prevent RADIUS and TACACS+ usage, even if these AAA protocols are enabled for
DHCHAP authentication.
Configuring the DHCHAP Hash Algorithm
To configure the hash algorithm, perform this task:
About the DHCHAP Group Settings
All Cisco Nexus 5000 Series switches support all DHCHAP groups specified in the standard: 0 (null DH
group, which does not perform the Diffie-Hellman exchange), 1, 2, 3, or 4.
Tip If you change the DH group configuration, change it globally for all switches in the fabric.
Configuring the DHCHAP Group Settings
To change the DH group settings, perform this task:
About the DHCHAP Password
DHCHAP authentication in each direction requires a shared secret password between the connected
devices. To do this, you can use one of three configurations to manage passwords for all switches in the
fabric that participate in DHCHAP:
Command Purpose
Step 1
switch# configuration terminal
Enters configuration mode.
Step 2
switch(config)# fcsp dhchap hash
[md5] [sha1]
Configures the use of the the MD5 or SHA-1 hash
algorithm.
switch(config)# no fcsp dhchap hash
sha1
Reverts to the factory default priority list of the MD5
hash algorithm followed by the SHA-1 hash algorithm.
Command Purpose
Step 1
switch# configuration terminal
Enters configuration mode.
Step 2
switch(config)# fcsp dhchap
dhgroup [0 | 1 | 2 | 3 | 4]
Prioritizes the use of DH groups in the configured order.
switch(config)# no fcsp dhchap
dhgroup [0 | 1 | 2 | 3 | 4]
Reverts to the DHCHAP factory default order of 0, 4, 1, 2, and 3.