Fabric OS procedures user guide
137
Fabric OS 3.x Document Addendum
To enable RADIUS service, access the CLI through an SSH connection so that the shared
secret is protected. Multiple login sessions can configure simultaneously, and the last session
to apply a change leaves its configuration in effect. After a configuration is applied, it persists
after a reboot or an HA failover.
The configuration is chassis-based, so it applies to all logical switches (domains) on the switch
and replicates itself on a standby CP card, if one is present. It is saved in a firmware upload, so
it can be applied to other switches in a firmware download. Configure at least two RADIUS
servers so that if one fails, the other assumes service. You can set the configuration with both
RADIUS service and local authentication enabled so that if all RADIUS servers do not
respond (because of power failure or network problems), the switch uses local authentication.
Considerations for RADIUS Use
Consider the following effects of the use of RADIUS service on other Fabric OS features:
■
Passwords
— When RADIUS service is enabled, all account passwords must be managed on the
RADIUS server. The Fabric OS mechanisms for changing switch passwords remain
functional; however, such changes affect only the involved switches locally. They do
not propagate to the RADIUS server, nor do they affect any account on the RADIUS
server.
— When RADIUS is set up for a fabric that contains a mix of switches running v4.4.0,
v3.2.x, or earlier, the way a switch authenticates users depends on whether a RADIUS
server is set up for that switch. For a switch with RADIUS support and configuration,
authentication bypasses the local password database. For a switch without RADIUS
support or configuration, authentication uses switch local account names and
passwords.
■
Secure Fabric OS. In secure mode, the following items apply:
— Account passwords are distributed among all switches in the same fabric. An account
that resides on several switches has the same password on all of them. This model
applies with RADIUS integration; such a distribution affects only the switch local
password database.
— There are separate admin and nonfcsadmin roles in secure mode. A nonfcsadmin
account on a RADIUS server cannot access FCS switches, even if the account is
properly authenticated.
— If a nonfcsadmin account on a RADIUS server logs in to a switch in nonsecure mode,
the switch treats the role like the admin role and grants the access.
— The secure Fabric OS telnet policy does not affect the operation of the RADIUS
protocol.
■
Advanced Web Tools. The following items apply:
— Advanced Web Tools client and server keep an open session after a user is
authenticated. A password change on a switch invalidates an open session and requires
the user to log in again. When integrated with RADIUS, a switch password change on
the RADIUS server does not invalidate an existing open session. However, a password
change on the local switch does invalidate an existing open session.
— If you cannot log in because of a RADIUS server connection problem, Advanced Web
Tools displays a message indicating server outage.
Summary of Contents for StorageWorks 2/16 - SAN Switch
Page 8: ...Contents 8 Fabric OS 3 x Document Addendum ...
Page 16: ...Advanced performance monitor user guide 16 Fabric OS 3 x Document Addendum ...
Page 72: ...Advanced Web Tools user guide 72 Fabric OS 3 x Document Addendum ...
Page 130: ...Extended fabric user guide 130 Fabric OS 3 x Document Addendum ...
Page 150: ...Fabric OS procedures user guide 150 Fabric OS 3 x Document Addendum ...
Page 238: ...Fabric OS reference guide 238 Fabric OS 3 x Document Addendum ...