FC Security for CCIE DC – FC-SP / DHCHAP

Fibre Channel Security Protocol (FC-SP) provides the capabilities for Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) to authenticate switches and/or hosts attempting to enter the fabric. The terms FC-SP and DHCHAP are used interchangeably. Unlike most FC feature, DHCHAP is not configured on a per-VSAN basis.

All things in this post can be found in the configuration guide:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/fcspdh.html

Steps involved to configure FC-SP:

1. Enable FCSP/DHCHAP
2. (Optional) Configure the hash algorithm and Diffie-Hellamn groups
3. Configure the DHCHAP password for the local switch
4. Configure the DHCHAP password for the remote switches/devices in the fabric
5. Configure and enable DHCHAP on interfaces
_a. Modes
_b. Reauthentication
6. Verify

fcsp-dhchap-topology

1. Enable FCSP / DHCHAP

Here we enable the fcsp feature on each switch

MDS1# conf t
MDS1(config)# feature fcsp

MDS2# conf t
MDS2(config)# feature fcsp

2. (Optional) Configure the hash algorithm and Diffie-Hellamn groups

Interesting caveat here – if you’re using RADIUS or TACACS authentication on the switch using SHA-1, do not run SHA-1 as the hashing for DHCHAP, as authentication will fail and ports will not come up! The default hashing is MD5 followed by SHA-1 (fcsp dhchap hash md5 sha1). Let’s configure only MD5 hashing:

MDS1(config)# fcsp dhchap hash md5

MDS2(config)# fcsp dhchap hash md5

To configure the DH group to something other than the default, run the command below and prioritize/restrict your group numbers. Default priority is 0,4,1,2,3. Let’s configure DH group 4 followed by 2.

MDS1(config)# fcsp dhchap dhgroup 4 2

MDS2(config)# fcsp dhchap dhgroup 4 2

3. Configure the DHCHAP password for the local switch

Configure your local switch password, which will be used on your other switches to authenticate this switch. A couple different strategies here, some use the same password for all switches in the fabric, others will have a specific password for each switch. The latter is more secure with minimal additional overhead. Let’s configure MDS1’s password as MDS1, and MDS2’s password as MDS2

MDS1(config)# fcsp dhchap password MDS1

MDS2(config)# fcsp dhchap password MDS2

4. Configure the DHCHAP password for the remote switches/devices in the fabric

Now we have to tell the switch what password to use when authenticating remote switches. This is done by mapping the remote sWWN (Switch WWN) to a password. To find the local sWWN, run this command on each MDS:

MDS1(config-if)# show wwn switch
Switch WWN is 20:00:00:0d:ec:54:63:80

MDS2(config)# show wwn switch 
Switch WWN is 20:00:00:0d:ec:27:4f:40

Now configure authenication of these sWWNs.

MDS1(config-if)# fcsp dhchap devicename 20:00:00:0d:ec:27:4f:40 password MDS2

MDS2(config-if)# fcsp dhchap devicename 20:00:00:0d:ec:54:63:80 password MDS1

5. Configure and enable DHCHAP on interfaces

You can configure DHCHAP on fc interfaces, port-channels interfaces (however the actual auth will occur on the physical fc interfaces), as well as FCIP interfaces. A few possible modes to choose from when enabling FC-SP on an interface

On – Strict mode requiring authentication. If the other side does not support DHCHAP or fails authentication, the link will go into an isolated state. Configured as:

interface fc1/1
 fcsp on

Auto-Active – If the connecting device supports DHCHAP it will perform authentication, if not is will continue with initialization sequence. Configured as:

interface fc1/1
 fcsp auto-active

Auto-Passive – Does not initiate DHCHAP authentication, but will participate if connecting device initiates an authentication. Configured as:

interface fc1/1
 fcsp auto-passive

Off – Does not participate at all in DHCHAP

By default, the links will not reauthenticate on a scheduled basis. You can enforce this by adding a value at the end of the fcsp [mode] command. Configured as:

interface fc1/1
 fcsp auto-active [minutes] 

Let’s configure MDS2 to force authentication, and let’s configure MDS1 to authenticate if capable, and once authenticated, reauthenticated every 2 minutes.

MDS1(config)# int fc1/1  
MDS1(config-if)# fcsp auto-active 2

MDS2(config)# int fc1/1
MDS2(config-if)# fcsp on

6. Verify

Quick list of helpful show commands:

show fcsp interface fc1/1
show fcsp interface fc1/1 statistics
show fcsp interface fc1/1 wwn
show fcsp dhchap
show fcsp dhchap database

Here we can quickly see the authentication mode, timeout and status of FSCP on an interface

MDS1# show fcsp interface fc1/1

fc1/1:
        fcsp authentication mode:SEC_MODE_AUTO_ACTIVE
        reauthentication timeout (in minutes):2
        Status:Successfully authenticated
                Authenticated using local password database

Here we can see the same information, plus statistics. The failures are me playing around and learning order of operations (steps at the top of this post)

MDS1# show fcsp interface fc1/1 statistics

fc1/1:
        fcsp authentication mode:SEC_MODE_AUTO_ACTIVE
        reauthentication timeout (in minutes):2
        Status:Successfully authenticated
                Authenticated using local password database
        Statistics:
        FC-SP Authentication Succeeded:19
        FC-SP Authentication Failed:3
        FC-SP Authentication Bypassed:0
        FC-SP ESP SPI Mismatched frames:0
        FC-SP ESP Auth failed frames:0

This is the same show command, now showing us the remote MDS’s WWN

MDS1# show fcsp interface fc1/1 wwn

fc1/1:
        fcsp authentication mode:SEC_MODE_AUTO_ACTIVE
        reauthentication timeout (in minutes):2
        Status:Successfully authenticated
                Authenticated using local password database
        Other device's WWN:20:00:00:0d:ec:27:4f:40

Here we can see the hash and Diffie-Hellman groups IDs we’re using:

MDS1# show fcsp dhchap
Supported Hash algorithms (in order of preference):
DHCHAP_HASH_MD5

Supported Diffie Hellman group ids(in order of preference):
DHCHAP_GROUP_2048
DHCHAP_GROUP_1280

Viewing the DHCHAP database

MDS1# show fcsp dhchap database
DHCHAP Local Password:
        Non-device specific password:******

Other Devices' Passwords:
        Password for device with WWN:20:00:00:0d:ec:27:4f:40 is ******

Quick template

MDS1:
feature fcsp
fcsp dhchap password MDS1
fcsp dhchap devicename 20:00:00:0d:ec:27:4f:40 password MDS2
int fc1/1
 fcsp on

MDS2:
feature fcsp
fcsp dhchap password MDS2
fcsp dhchap devicename 20:00:00:0d:ec:54:63:80 password MDS1
int fc1/1
 fcsp on
 
! Optional !
fcsp dhchap hash md5
fcsp dhchap dhgroup 4 2
int fc1/1
 fcsp auto-active | auto-passive [minutes]

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s