Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)
148 Fabric OS Administrator’s Guide
53-1002148-02
Authentication policy for fabric elements
7
Re-authenticating E_Ports
Use the authUtil --authinit command to re-initiate the authentication on selected ports. It provides
flexibility to initiate authentication for specified E_Ports, a set of E_Ports, or all E_Ports on the
switch. This command does not work on loop, NPIV and FICON devices, or on ports configured for
in-flight encryption. The command authUtil can re-initiate authentication only if the device was
previously authenticated. If the authentication fails because shared secrets do not match, the port
is disabled.
This command works independently of the authentication policy; this means you can initiate the
authentication even if the switch is in PASSIVE mode. This command is used to restart
authentication after changing the DH-CHAP group, hash type, or shared secret between a pair of
switches.
ATTENTION
This command may bring down E_Ports if the DH-CHAP shared secrets are not installed correctly.
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
2. Enter the authUtil
–-authinit command.
Example for specific ports on the switch
switch:admin> authutil –-authinit 2,3,4
Example for all E_Ports on the switch
switch:admin> authutil –-authinit allE
Example for enterprise-class platforms using the slot/port format
switch:admin> authutil –-authinit 1/1, 1/2
Device authentication policy
Device authentication policy can also be categorized as an F_Port, node port, or an HBA
authentication policy. Fabric-wide distribution of the device authentication policy is not supported
because the device authentication requires manual interaction in setting the HBA shared secrets
and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in
the DH-CHAP protocol.
By default the switch is in the OFF state, which means the switch clears the security bit in the FLOGI
(fabric login). The authUtil command provides an option to change the device policy mode to select
PASSIVE policy, which means the switch responds to authentication from any device and does not
initiate authentication to devices. When the policy is set to ON, the switch expects a FLOGI with the
FC-SP bit set. If not, the switch rejects the FLOGI with reason LS_LOGICAL_ERROR (0x03),
explanation “Authentication Required”(0x48), and disables the port. Regardless of the policy, the
F_Port is disabled if the DH-CHAP protocol fails to authenticate. If the HBA sets the FC-SP bit during
FLOGI and the switch sends a FLOGI accept with the FC-SP bit set, then the switch expects the HBA
to start the AUTH_NEGOTIATE. From this point on until the AUTH_NEGOTIATE is completed, all ELS
and CT frames, except the AUTH_NEGOTIATE ELS frame, are blocked by the switch. During this
time, the Fibre Channel driver rejects all other ELS frames. The F_Port does not form until the
AUTH_NEGOTIATE is completed. It is the HBA's responsibility to send an Authentication Negotiation
ELS frame after receiving the FLOGI accept frame with the FC-SP bit set.