3 – Planning
Device Access
59021-07 A 3-11
D
3.4.4
User Account Security
User account security consists of the administration of account names,
passwords, expiration date, and authority level. If an account has Admin authority,
all management tasks can be performed by that account in both SANbox Manager
and the Command Line Interface. Otherwise only monitoring tasks are available.
The default account name, Admin, is the only account that can administer user
accounts. Refer to ”Device Security” on page 3-11. Consider your management
needs and determine the number of user accounts, their authority needs, and
expiration dates.
Account names and passwords are always required when connecting to a switch
through Telnet. However, SANbox Manager does not authenticate account names
when opening a fabric unless the UserAuthentication parameter is set to True
using the Set Setup System command. Refer to the ”Set Setup Command” on
page B-54 for more information. The UserAuthentication parameter must be
configured the same for all switches in the fabric. If the UserAuthentication
parameter is False (default), SANbox Manager logs you in with the Admin account
name and password (password). Consider your user accounts and determine
whether user authentication is necessary.
3.4.5
Device Security
Device security provides for the authorization and authentication of devices that
you attach to a switch. You can configure a switch with a group of devices against
which the switch authorizes new attachments by devices, other switches, or
applications issuing management server commands. In addition to authorization,
the switch can be configured to require authentication of the connecting device
through the use of a password or secret.
Device security is configured through the use of security sets and groups. A group
is a list of device worldwide names that are authorized to attach to a switch. There
are three types of groups: one for other switches (ISL), another for N_Port devices
(port), and a third for devices or applications issuing management server
commands (MS). Device security is not supported for loop devices. A security set
is a set of up to three groups with no more than one of each group type. The
security database is made up of all security sets on the switch. The security
database has the following limits:
The maximum number of security sets is 4.
The maximum number of groups is 16.
The maximum number of members in a group is 1000.
The maximum total number of group members is 1000.
Consider the devices, switches, and management agents and evaluate the need
for authorization and authentication.