3 – Planning
Fabric Security
59265-00 A 3-17
A
User Account Security
User account security consists of the administration of account names,
passwords, expiration date, and authority level. If an account has Admin authority,
all management tasks can be performed by that account in the CLI and
QuickTools. Otherwise only monitoring tasks are available. The default account
name, Admin, is the only account that can create or add account names and
change passwords of other accounts. All users can change their own passwords.
Account names and passwords are always required when connecting to a switch.
Authentication of the user account and password can be performed locally using
the switch’s user account database or it can be done remotely using a RADIUS
server such as Microsoft
®
RADIUS. Authenticating user logins on a RADIUS
server requires a secure management connection to the switch. Refer to
“Connection Security” on page 3-16 for information about securing the
management connection. A RADIUS server can also be used to authenticate
devices and other switches as described in “Device Security” on page 3-18.
Consider your management needs and determine the number of user accounts,
their authority needs, and expiration dates. Also consider the advantages of
centralizing user administration and authentication on a RADIUS server.
Port Binding
Port binding provides authorization for a list of up to 32 switch and device WWNs
that are permitted to log in to a particular switch port. Switches or devices that are
not among the 32 are refused access to the port. Consider what ports to secure
and the set of switches and devices that are permitted to log in to those ports. For
information about port binding, refer to the SANbox 5802V Fibre Channel Switch
Command Line Interface Guide.
NOTE:
If the same user account exists on a switch and its RADIUS server, that user
can login with either password, but the authority and account expiration will
always come from the switch database.