Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsStorageHP 8/40 Power Pack+ (24) Full Fabric Ports Enabled SAN Switch

181

182

183

184

185

186

187

188

189

190

Fabric OS Administrator’s Guide 147

53-1002148-02

Authentication policy for fabric elements

Virtual Fabric considerations: The switch authentication policy applies to all E_Ports in a logical

switch. This includes ISLs and extended ISLs. Authentication of extended ISLs between two base

switches is considered peer-chassis authentication. Authentication between two physical entities is

required, so the extended ISL which connects the two chassis needs to be authenticated. The

corresponding extended ISL for a logical ISL authenticates the peer-chassis, therefore the logical

ISL authentication is not required. Because the logical ISLs do not carry actual traffic, they do not

need to be authenticated. Authentication on re-individualization is also blocked on logical ISLs. The

following error message is printed on the console when you execute the authUtil –-authinit

command on logical-ISLs, “Failed to initiate authentication. Authentication is not supported on

logical ports <port#>”. For more information on Virtual Fabrics, refer to Chapter 10, “Managing

Virtual Fabrics”.

Configuring E_Port authentication

1. Connect to the switch and log in using an account with admin permissions, or an account with

OM permissions for the Authentication RBAC class of commands.

2. Enter the authUtil command to set the switch policy mode.

Example of configuring E_Port authentication

The following example shows how to enable a Virtual Fabric and configure the E_Ports to perform

authentication using the AUTH policies authUtil command.

switch:admin> fosconfig -enable vf

WARNING: This is a disruptive operation that requires a reboot to take

effect.

All EX ports will be disabled upon reboot.

Would you like to continue [Y/N] y

switch:admin> authutil --authinit 2,3,4

CAUTION

If data input has not been completed and a failover occurs, the command is terminated without

completion and your entire input is lost.

If data input has completed, the enter key pressed, and a failover occurs, data may or may not be

replicated to the other CP depending on the timing of the failover. Log in to the other CP after the

failover is complete and verify the data was saved. If data was not saved, run the command

again.

Example of setting the policy to active mode

switch:admin> authutil --policy -sw active

Warning: Activating the authentication policy requires

either DH-CHAP secrets or PKI certificates depending

on the protocol selected. Otherwise, ISLs will be

segmented during next E-port bring-up.

ARE YOU SURE (yes, y, no, n): [no] y

Auth Policy is set to ACTIVE