McDATA 4416 Fibre Channel Switch Module Installation Guide
2-10
Fabric Security
Device Security
NOTE: Device security is available only with the SANtegrity Enhanced PFE key.
Refer to McDATA Switch Module Management Guide for information about installing a
PFE key. For additional McDATA PFE keys, please contact your McDATA
representative or visit the web site at www.mcdata.com.
Device security provides for the authorization and authentication of devices
that you attach to a switch. You can configure a switch with a group of
devices against which the switch authorizes new attachments by devices,
other switches, or devices issuing management server commands. Device
security is configured through the use of security sets and groups. A group is
a list of device worldwide names that are authorized to attach to a switch.
There are three types of groups: one for other switches (ISL), another for
devices (port), and a third for devices issuing management server commands
(MS). A security set is a set of up to three groups with no more than one of
each group type. The security configuration is made up of all security sets on
the switch. The security database has the following limits:
• Maximum number of security sets is 4.
• Maximum number of groups is 16.
• Maximum number of members in a group is 1000.
• Maximum total number of group members is 1000.
In addition to authorization, the switch can be configured to require
authentication to validate the identity of the connecting switch, device, or
host. Authentication can be performed locally using the switch’s security
database, or remotely using a Remote Dial-In User Service (RADIUS) server
such as Microsoft® RADIUS. With a RADIUS server, the security database for
the entire fabric resides on the server. In this way, the security database can be
managed centrally, rather than on each switch module. You can configure up
to five RADIUS servers to provide failover.
You can configure the RADIUS server to authenticate just the switch module
or both the switch module and the initiator device if the device supports
authentication. When using a RADIUS server, every switch in the fabric must
have a network connection. A RADIUS server can also be configured to
authenticate user accounts as described in “User Account Security” on
page 2-11. A secure connection is required to authenticate user logins with a
RADIUS server. Refer to “Connection Security” on page 2-9 for more
information.
Consider the devices, switches, and management agents and evaluate the
need for authorization and authentication. Also consider whether the security
database is to distributed on the switches or centralized on a RADIUS server
and how many servers to configure.