McDATA® 4Gb SAN Switch for HP p-Class BladeSystem Installation Guide (AA-RW1XA-TE, June 2005)
24 Planning
• Refer to System keyword of the Set Setup command in the McDATA 4Gb SAN Switch for HP p-Class
BladeSystem user guide for information about enabling the NTP client on the switch and configuring the
NTP server.
• Refer to the Set command in the McDATA 4Gb SAN Switch for HP p-Class BladeSystem user guide for
information about setting the time zone.
Device security
IMPORTANT: Device security is available only with the McDATA SANtegrity™ Enhanced Product Feature
Enablement (PFE) key. Refer to ”Installing Product Feature Enablement (PFE) keys” on page 34 for more
information about installing a PFE key. To obtain the McDATA 4Gb SAN Switch serial number and Product
Feature Enablement license key, follow the step-by-step instructions on the "firmware feature entitlement
request certificate" for the PFE key. One of the license key retrieval options is via the web:
www.webkey.external.hp.com.
Device security provides for the authorization and authentication of devices that you attach to a switch. You
can configure a switch with a group of devices against which the switch authorizes new attachments by
devices, other switches, or devices issuing management server commands. Device security is configured
through the use of security sets and groups. A group is a list of device worldwide names that are
authorized to attach to a switch. There are three types of groups: one for other switches (ISL), another for
devices (port), and a third for devices issuing management server commands (MS). A security set is a set
of up to three groups with no more than one of each group type. The security configuration is made up of
all security sets on the switch. The security database has the following limits:
• Maximum number of security sets is 4.
• Maximum number of groups is 16.
• Maximum number of members in a group is 1000.
• Maximum total number of group members is 1000.
In addition to authorization, the switch can be configured to require authentication to validate the identity
of the connecting switch, device, or host. Authentication can be performed locally using the switch’s
security database, or remotely using a Remote Dial-In User Service (RADIUS) server such as Microsoft
®
RADIUS. With a RADIUS server, the security database for the entire fabric resides on the server. In this
way, the security database can be managed centrally, rather than on each switch. You can configure up to
five RADIUS servers to provide failover.
You can configure the RADIUS server to authenticate just the switch or both the switch and the initiator
device if the device supports authentication. When using a RADIUS server, every switch in the fabric must
have a network connection. A RADIUS server can also be configured to authenticate user accounts as
described in ”User account security” on page 24. A secure connection is required to authenticate user
logins with a RADIUS server. Refer to ”Connection security” on page 23 for more information.
Consider the devices, switches, and management agents and evaluate the need for authorization and
authentication. Also consider whether the security database is to be distributed on the switches or
centralized on a RADIUS server and how many servers to configure.
User account security
User account security consists of the administration of account names, passwords, expiration date, and
authority level. If an account has Admin authority, all management tasks can be performed by that account
in both McDATA Web Server and the Telnet Command Line Interface. Otherwise only monitoring tasks are
available. The default account name, Admin, is the only account that can create or change account names
and passwords. Account names and passwords are always required when connecting to a switch.
Authentication of the user account and password can be performed locally using the switch’s user account
database or it can be done remotely using a RADIUS server such as Microsoft
®
RADIUS. Authenticating
user logins on a RADIUS server requires a secure management connection to the switch. Refer to
”Connection security” on page 23 for information about securing the management connection. A RADIUS
server can also be used to authenticate devices and other switches as described in ”Device security” on
page 24.