-
Cisco Nexus 5500 Series NX-OS SAN Switching Configuration Guide, Release 7.x
-
Preface
-
Overview
-
Configuring Fibre Channel Interfaces
-
Configuring Fibre Channel Domain Parameters
-
Configuring N Port Virtualization
-
Configuring FCoE NPV
-
Configuring VSAN Trunking
-
Configuring SAN Port Channels
-
Configuring and Managing VSANs
-
Configuring and Managing Zones
-
Distributing Device Alias Services
-
Configuring Fibre Channel Routing Services and Protocols
-
Managing FLOGI, Name Server, FDMI, and RSCN Databases
-
Discovering SCSI Targets
-
Configuring iSCSI TLV
-
Advanced Fibre Channel Features
-
Configuring FC-SP and DHCHAP
-
Configuring Port Security
-
Configuring Fabric Binding
-
Configuring Fabric Configuration Servers
-
Configuring Port Tracking
-
Index
-
Feedback
Contents
- Configuring FC-SP and DHCHAP
- Information About FC-SP and DHCHAP
- Fabric Authentication
- Configuring DHCHAP Authentication
- DHCHAP Compatibility with Fibre Channel Features
- About Enabling DHCHAP
- Enabling DHCHAP
- DHCHAP Authentication Modes
- Configuring the DHCHAP Mode
- DHCHAP Hash Algorithm
- Configuring the DHCHAP Hash Algorithm
- DHCHAP Group Settings
- Configuring the DHCHAP Group Settings
- DHCHAP Password
- Configuring DHCHAP Passwords for the Local Switch
- Password Configuration for Remote Devices
- Configuring DHCHAP Passwords for Remote Devices
- DHCHAP Timeout Value
- Configuring the DHCHAP Timeout Value
- Configuring DHCHAP AAA Authentication
- Displaying Protocol Security Information
- Configuration Examples for Fabric Security
- Default Settings for Fabric Security
Configuring FC-SP and DHCHAP
This chapter describes how to configure the Fibre Channel Security Protocol (FC-SP) and the Diffie-Hellman Challenge Handshake Authentication Protocol (DHCP).
This chapter includes the following sections:
Information About FC-SP and DHCHAP
The Fibre Channel Security Protocol (FC-SP) capabilities provide switch-to-switch and host-to-switch authentication to overcome security challenges for enterprise-wide fabrics. The Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco SAN switches and other devices. DHCHAP consists of the CHAP protocol combined with the Diffie-Hellman exchange.
- Fabric Authentication
- Configuring DHCHAP Authentication
- Configuration Examples for Fabric Security
- Default Settings for Fabric Security
Fabric Authentication
All Cisco SAN switches enable fabric-wide authentication from one switch to another switch, or from a switch to a host. These switch and host authentications are performed locally or remotely in each fabric. As storage islands are consolidated and migrated to enterprise-wide fabrics, new security challenges arise. The approach of securing storage islands cannot always be guaranteed in enterprise-wide fabrics. For example, in a campus environment with geographically distributed switches, someone could maliciously or accidentally interconnect incompatible switches, resulting in Inter-Switch Link (ISL) isolation and link disruption.
Cisco SAN switches support authentication features to address physical security (see the following figure).
Note
Fibre Channel host bus adapters (HBAs) with appropriate firmware and drivers are required for host-switch authentication.
Configuring DHCHAP Authentication
Before You BeginProcedureYou must explicitly enable the DHCHAP feature to access the configuration and verification commands for fabric authentication. When you disable this feature, all related configurations are automatically discarded.
DHCHAP Compatibility with Fibre Channel Features
When configuring the DHCHAP feature along with existing Cisco NX-OS features, consider these compatibility issues:
- SAN port channel interfaces—If DHCHAP is enabled for ports belonging to a SAN port channel, DHCHAP authentication is performed at the physical interface level, not at the port channel level.
- Port security or fabric binding—Fabric-binding policies are enforced based on identities authenticated by DHCHAP.
- VSANs—DHCHAP authentication is not done on a per-VSAN basis.
By default, the DHCHAP feature is disabled in all Cisco SAN switches.
Enabling DHCHAP
ProcedureDHCHAP Authentication Modes
The DHCHAP authentication status for each interface depends on the configured DHCHAP port mode.
When the DHCHAP feature is enabled in a switch, each Fibre Channel interface or FCIP interface may be configured to be in one of four DHCHAP port modes:
- On—During switch initialization, if the connecting device supports DHCHAP authentication, the software performs the authentication sequence. If the connecting device does not support DHCHAP authentication, the link is placed in an isolated state.
- Auto-Active—During switch initialization, if the connecting device supports DHCHAP authentication, the software performs the authentication sequence. If the connecting device does not support DHCHAP authentication, the software continues with the rest of the initialization sequence.
- Auto-Passive (default)—The switch does not initiate DHCHAP authentication, but participates in DHCHAP authentication if the connecting device initiates DHCHAP authentication.
- Off—The switch does not support DHCHAP authentication. Authentication messages sent to ports in this mode return error messages to the initiating switch.
Note
Whenever DHCHAP port mode is changed to a mode other than the Off mode, reauthentication is performed.
The following table identifies switch-to-switch authentication between two Cisco switches in various modes.
Table 1 DHCHAP Authentication Status Between Two SAN Switches Switch N DHCHAP Modes
Switch 1 DHCHAP Modes
on
auto-active
auto-passive
off
on
FC-SP authentication is performed.
FC-SP authentication is performed.
FC-SP authentication is performed.
Link is brought down.
auto-Active
FC-SP authentication is not performed.
auto-Passive
FC-SP authentication is not performed.
off
Link is brought down.
FC-SP authentication is not performed.
Configuring the DHCHAP Mode
ProcedureDHCHAP Hash Algorithm
Cisco SAN switches support a default hash algorithm priority list of MD5 followed by SHA-1 for DHCHAP authentication.
If you change the hash algorithm configuration, then change it globally for all switches in the fabric.
Caution
RADIUS and TACACS+ protocols always use MD5 for CHAP authentication. Using SHA-1 as the hash algorithm may prevent RADIUS and TACACS+ usage, even if these AAA protocols are enabled for DHCHAP authentication.
Configuring the DHCHAP Hash Algorithm
Procedure
Command or Action Purpose
Step 1 configure terminal
Example:switch# configure terminal switch(config)#Enters global configuration mode.
Step 2 fcsp dhchap hash [md5] [sha1]
Example:switch(config)# fcsp dhchap hash md5 sha1Configures the use of the the MD5 or SHA-1 hash algorithm.
Step 3 no fcsp dhchap hash sha1
Example:switch(config)# no fcsp dhchap hash sha1Reverts to the factory default priority list of the MD5 hash algorithm followed by the SHA-1 hash algorithm.
Configuring the DHCHAP Group Settings
Procedure
Command or Action Purpose
Step 1 configure terminal
Example:switch# configure terminal switch(config)#Enters global configuration mode.
Step 2 fcsp dhchap dhgroup [0 | 1 | 2 | 3 | 4]
Example:switch(config)# fcsp dhchap dhgroup [0|1|2|3|4]Prioritizes the use of DH groups in the configured order.
Step 3 no fcsp dhchap dhgroup [0 | 1 | 2| 3 | ]4]
Example:switch(config)# no fcsp dhchap dhgroup [0|1|2|3|4]Reverts to the DHCHAP factory default order of 0, 1, 2, 3 and 4.
DHCHAP Password
DHCHAP authentication in each direction requires a shared secret password between the connected devices. To do this, you can use one of three configurations to manage passwords for all switches in the fabric that participate in DHCHAP:
- Configuration 1—Use the same password for all switches in the fabric. This is the simplest configuration. When you add a new switch, you use the same password to authenticate that switch in this fabric. It is also the most vulnerable configuration if someone from the outside maliciously attempts to access any one switch in the fabric.
- Configuration 2—Use a different password for each switch and maintain that password list in each switch in the fabric. When you add a new switch, you create a new password list and update all switches with the new list. Accessing one switch yields the password list for all switches in that fabric.
- Configuration 3—Use different passwords for different switches in the fabric. When you add a new switch, multiple new passwords corresponding to each switch in the fabric must be generated and configured in each switch. Even if one switch is compromised, the password of other switches are still protected. This configuration requires considerable password maintenance by the user.
Note
All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted.
We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to use a local password database, you can continue to do so using Configuration 3 and using Cisco MDS 9000 Family Fabric Manager to manage the password database.
Configuring DHCHAP Passwords for the Local Switch
Procedure
Command or Action Purpose
Step 1 configure terminal
Example:switch# configure terminal switch(config)#Enters global configuration mode.
Step 2 fcsp dhchap password [0 | 7] password [wwn wwn-id]
Example:switch(config)# fcsp dhchap password [0|7] myword wwn 11:22:11:22:33:44:33:44Configures a clear text password for the local switch.
Password Configuration for Remote Devices
You can configure passwords in the local authentication database for other devices in a fabric. The other devices are identified by their device name, which is also known as the switch WWN or device WWN. The password is restricted to 64 characters and can be specified in clear text (0) or in encrypted text (7).
Note
The switch WWN identifies the physical switch. This WWN is used to authenticate the switch and is different from the VSAN node WWN.
Configuring DHCHAP Passwords for Remote Devices
Procedure
Command or Action Purpose
Step 1 configure terminal
Example:switch# configure terminal switch(config)#Enters global configuration mode.
Step 2 fcsp dhchap devicename switch-wwn password password
Example:switch(config)# fcsp dhchap devicename 21:00:05:30:23:1a:11:03 password mypasswordConfigures a password for another switch in the fabric that is identified by the switch WWN device name.
Step 3 switch(config)# no fcsp dhchap devicename switch-wwn password password
Example:switch(config)# no fcsp dhchap devicename 21:00:05:30:23:1a:11:03 password mypasswordRemoves the password entry for this switch from the local authentication database.
DHCHAP Timeout Value
During the DHCHAP protocol exchange, if the switch does not receive the expected DHCHAP message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no authentication is performed) to 1000 seconds. The default is 30 seconds.
When changing the timeout value, consider the following factors:
Configuring the DHCHAP Timeout Value
Procedure
Command or Action Purpose
Step 1 configure terminal
Example:switch# configure terminal switch(config)#Enters global configuration mode.
Step 2 fcsp timeout timeout
Example:switch(config)# fcsp timeout 60Configures the reauthentication timeout to the specified value. The unit is seconds.
Step 3 no fcsp timeout timeout
Example:switch(config)# no fcsp timeout 60Reverts to the factory default of 30 seconds.
Displaying Protocol Security Information
Use the show fcsp commands to display configurations for the local database.
The following example shows how to display the DHCHAP configuration for the specified interface:
switch# show fcsp interface fc2/4 fc2/4fcsp authentication mode:SEC_MODE_ONStatus: Successfully authenticatedThe following example shows how to display DHCHAP statistics for the specified interface:
switch# show fcsp interface fc2/4 statisticsThe following example shows how to display the FC-SP WWN of the device connected to the specified interface:
switch# show fcsp interface fc2/1 wwnThe following example shows how to display the hash algorithm and DHCHAP groups configured in the switch:
switch# show fcsp dhchapThe following example shows how to display the DHCHAP local password database:
switch# show fcsp dhchap databaseUse the ASCII representation of the device WWN to configure the switch information on RADIUS and TACACS+ servers.
Configuration Examples for Fabric Security
ProcedureThis section provides the steps to configure the example illustrated in the following figure.
This example shows how to set up authentication:
Step 1 Obtain the device name of the Cisco SAN switch in the fabric. The Cisco SAN switch in the fabric is identified by the switch WWN.
Example:switch# show wwn switchSwitch WWN is 20:00:00:05:30:00:54:deStep 2 Explicitly enable DHCHAP in this switch.
Note When you disable DHCHAP, all related configurations are automatically discarded.
Example:switch(config)# fcsp enableStep 3 Configure a clear text password for this switch. This password is used by the connecting device.
Example:switch(config)# fcsp dhchap password rtp9216Step 4 Configure a password for another switch in the fabric that is identified by the switch WWN device name.
Example:switch(config)# fcsp dhchap devicename 20:00:00:05:30:00:38:5e password rtp9509Step 5 Enable the DHCHAP mode for the required interface.
Note Whenever DHCHAP port mode is changed to a mode other than the Off mode, reauthentication is performed.
Example:switch(config)# interface fc2/4switch(config-if)# fcsp onStep 6 Verify the protocol security information configured in this switch by displaying the DHCHAP local password database.
Example:switch# show fcsp dhchap databaseDHCHAP Local Password:Non-device specific password:*******Other Devices' Passwords:Password for device with WWN:20:00:00:05:30:00:38:5e is *******Step 7 Display the DHCHAP configuration in the interface.
Example:switch# show fcsp interface fc2/4 fc2/4fcsp authentication mode:SEC_MODE_ONStatus:Successfully authenticatedStep 8 Repeat these steps on the connecting switch.
Example:MDS-9509# show wwn switchSwitch WWN is 20:00:00:05:30:00:38:5eMDS-9509(config)# fcsp enableMDS-9509(config)# fcsp dhchap password rtp9509MDS-9509(config)# fcsp dhchap devicename 20:00:00:05:30:00:54:de password rtp9216MDS-9509(config)# interface fc 4/5MDS-9509(config-if)# fcsp onMDS-9509# show fcsp dhchap databaseDHCHAP Local Password:Non-device specific password:*******Other Devices' Passwords:Password for device with WWN:20:00:00:05:30:00:54:de is *******MDS-9509# show fcsp interface fc2/4 Fc2/4fcsp authentication mode:SEC_MODE_ONStatus:Successfully authenticatedYou have now enabled and configured DHCHAP authentication for the sample setup.
Default Settings for Fabric Security
The following table lists the default settings for all fabric security features in any switch.
Table 2 Default Fabric Security Settings Parameters
Default
DHCHAP feature
Disabled
DHCHAP hash algorithm
A priority list of MD5 followed by SHA-1 for DHCHAP authentication
DHCHAP authentication mode
Auto-passive
DHCHAP group default priority exchange order
0, 4, 1, 2, and 3, respectively
DHCHAP timeout value
30 seconds
