Fabric OS procedures user guide
138
Fabric OS 3.x Document Addendum
■
API. The following items apply:
— When an older version of the API host library authenticates against a switch with
RADIUS support, the host performs the login. However, the old host library does not
recognize the role returned from the switch, which can result in the host displaying an
incorrect read or write attribute for an account. The switch library performs the
permission check again for individual API function calls.
— API provides functions for RADIUS configuration that share the behavior of the
aaaconfig
CLI command.
■
Advanced Web Tools and API. The following items apply to both of these features:
— Users can log in using account names and passwords configured on the RADIUS
server, and gain access with the switch roles defined on the RADIUS server.
— Users can log in through API using account names and passwords configured on the
RADIUS server, and gain access with the switch roles defined on the RADIUS server.
— When a proxy switch is used, the switch-side component performs authentication on
the proxy switch, rather than on the destination switch. Therefore, to use RADIUS in
this environment, you must configure on the proxy switch.
Accounting Support
The RADIUS service supports accounting request and response packets so that accounting
records can be centralized on the RADIUS server. The login account name, assigned role, and
password are stored on the RADIUS server for each user.
Setting Up the RADIUS Server
You must know the switch IP address or name to connect to switches. Use the
ipaddrshow
command to display a switch IP address.
User accounts should be set up by their true network-wide identity, rather than by the account
names created on a Fabric OS switch. Along with each account name, the administrator should
assign appropriate switch access roles. To manage a nonsecure fabric, these roles can be user
or admin. To manage a secure fabric, these roles can be user, admin, or nonfcsadmin.
When they log in to a switch configured with RADIUS, users enter their assigned RADIUS
account names and passwords at the prompt. After the RADIUS server authenticates a user, it
responds with the assigned switch role in an HP Vendor-Specific Attribute (VSA) as defined in
the RFC. An authentication-accept response without such VSA role assignment grants the user
role.
The following sections explain how to configure a RADIUS server to support HP clients under
different operating systems.
Windows 2000
Use these procedures to add a client to the RADIUS server and create remote access policies
for Fabric OS user and admin roles.
To add a RADIUS client:
1. From the Windows Start menu, select Programs > Administrative Tools:Internet
Authentication Service.
2. In the Internet Authentication Service window, right-click the RADIUS Clients folder and
select New RADIUS Client.
Summary of Contents for StorageWorks 2/16 - SAN Switch
Page 8: ...Contents 8 Fabric OS 3 x Document Addendum ...
Page 16: ...Advanced performance monitor user guide 16 Fabric OS 3 x Document Addendum ...
Page 72: ...Advanced Web Tools user guide 72 Fabric OS 3 x Document Addendum ...
Page 130: ...Extended fabric user guide 130 Fabric OS 3 x Document Addendum ...
Page 150: ...Fabric OS procedures user guide 150 Fabric OS 3 x Document Addendum ...
Page 238: ...Fabric OS reference guide 238 Fabric OS 3 x Document Addendum ...