Technical data
Brocade Communications Systems, Inc. Page 36 of 48
FabricOS root account is disabled during TOE configuration, since it allows access to the operating system. This
FabricOS root account is not the same as the “Root” role.
The TOE authenticates administrative users using either its own authentication mechanism or a RADIUS or LDAP
Server. The TOE provides its own password authentication mechanism to authenticate administrative users. In
order for an administrative user to access the TOE, a user account including a user name and password must be
created for the user, and an administrative role must be assigned. The TOE password authentication mechanism
enforces password composition rules. Passwords must be between 8 and 40 characters; they must begin with an
alphabetical character; they can include numeric characters, the dot (.), and the underscore ( _ ); they are case-
sensitive. In the case of RADIUS or LDAP Server authentication, the TOE passes the login credentials supplied to
the RADIUS or LDAP Server for validation. If the RADIUS or LDAP Server returns a success value, the TOE
matches the user name to a user name stored internally. The administrator can configure the order in which the
external authentication provider and the local credentials are checked.
The TOE supports several password policies which apply only to accounts defined within the local user database.
Password Strength
The password strength policy is enforced across all user accounts, and enforces a set of format rules to which new
passwords must adhere. The password strength policy is enforced only when a new password is defined. The
administrator can specify the number of lowercase, uppercase, digits, and punctuation that are required. The
password strength policy can also specify the minimum length of a password.
Password History
The password history policy prevents users from recycling recently used passwords, and is enforced across all user
accounts when users are setting their own passwords. The password history policy is enforced only when a new
password is defined.
Specify the number of past password values that are disallowed when setting a new password.
Account Lockout
The account lockout policy disables a user account when that user exceeds a specified number of failed login
attempts, and is enforced across all user accounts. Administrators configure this policy to either keep the account
locked until explicit administrative action is taken to unlock it, or the locked account can be automatically unlocked
after a specified period. Administrators can unlock a locked account at any time.
A failed login attempt counter is maintained for each user. The counters for all user accounts are reset to zero when
the account lockout policy is enabled. The counter for an individual account is reset to zero when the account is
unlocked after a lockout duration period expires.
The Identification and authentication function is designed to satisfy the following security functional requirements:
• FIA_AFL.1: The TOE locks an account when the number of failed logon attempts exceeds an
administrator specified value. The account cannot be used until it is unlocked by an administrator or after
an administrator specified time period has elapsed.
• FIA_ATD.1: The TOE maintains security attributes for administrative users.
• FIA_SOS.1: TOE supports several password policies that place constraints (see above) upon a user’s
selection of a password.
• FIA_UAU.2: The TOE offers no TSF-mediated functions until the user is authenticated.
• FIA_UAU.5: The TOE provides a password-based authentication mechanism and also permits
authentication to occur using a third-party RADIUS or LDAP Server. The order in which these
authentication providers is checked is determined by an administrator.
• FIA_UID.2: The TOE offers no TSF-mediated functions until the user is identified. Administrative users
are identified using user identifiers.
6.1.4 Security management
The TOE defines the following administrative roles: