Fibre Channel Security Protocol (FC-SP) provides the capabilities for Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) to authenticate switches and/or hosts attempting to enter the fabric. The terms FC-SP and DHCHAP are used interchangeably. Unlike most FC feature, DHCHAP is not configured on a per-VSAN basis.
All things in this post can be found in the configuration guide:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/fcspdh.html
Steps involved to configure FC-SP:
1. Enable FCSP/DHCHAP
2. (Optional) Configure the hash algorithm and Diffie-Hellamn groups
3. Configure the DHCHAP password for the local switch
4. Configure the DHCHAP password for the remote switches/devices in the fabric
5. Configure and enable DHCHAP on interfaces
_a. Modes
_b. Reauthentication
6. Verify
1. Enable FCSP / DHCHAP
Here we enable the fcsp feature on each switch
MDS1# conf t
MDS1(config)# feature fcsp
MDS2# conf t
MDS2(config)# feature fcsp
2. (Optional) Configure the hash algorithm and Diffie-Hellamn groups
Interesting caveat here – if you’re using RADIUS or TACACS authentication on the switch using SHA-1, do not run SHA-1 as the hashing for DHCHAP, as authentication will fail and ports will not come up! The default hashing is MD5 followed by SHA-1 (fcsp dhchap hash md5 sha1). Let’s configure only MD5 hashing:
MDS1(config)# fcsp dhchap hash md5
MDS2(config)# fcsp dhchap hash md5
To configure the DH group to something other than the default, run the command below and prioritize/restrict your group numbers. Default priority is 0,4,1,2,3. Let’s configure DH group 4 followed by 2.
MDS1(config)# fcsp dhchap dhgroup 4 2
MDS2(config)# fcsp dhchap dhgroup 4 2
3. Configure the DHCHAP password for the local switch
Configure your local switch password, which will be used on your other switches to authenticate this switch. A couple different strategies here, some use the same password for all switches in the fabric, others will have a specific password for each switch. The latter is more secure with minimal additional overhead. Let’s configure MDS1’s password as MDS1, and MDS2’s password as MDS2
MDS1(config)# fcsp dhchap password MDS1
MDS2(config)# fcsp dhchap password MDS2
4. Configure the DHCHAP password for the remote switches/devices in the fabric
Now we have to tell the switch what password to use when authenticating remote switches. This is done by mapping the remote sWWN (Switch WWN) to a password. To find the local sWWN, run this command on each MDS:
MDS1(config-if)# show wwn switch
Switch WWN is 20:00:00:0d:ec:54:63:80
MDS2(config)# show wwn switch
Switch WWN is 20:00:00:0d:ec:27:4f:40
Now configure authenication of these sWWNs.
MDS1(config-if)# fcsp dhchap devicename 20:00:00:0d:ec:27:4f:40 password MDS2
MDS2(config-if)# fcsp dhchap devicename 20:00:00:0d:ec:54:63:80 password MDS1
5. Configure and enable DHCHAP on interfaces
You can configure DHCHAP on fc interfaces, port-channels interfaces (however the actual auth will occur on the physical fc interfaces), as well as FCIP interfaces. A few possible modes to choose from when enabling FC-SP on an interface
On – Strict mode requiring authentication. If the other side does not support DHCHAP or fails authentication, the link will go into an isolated state. Configured as:
interface fc1/1
fcsp on
Auto-Active – If the connecting device supports DHCHAP it will perform authentication, if not is will continue with initialization sequence. Configured as:
interface fc1/1
fcsp auto-active
Auto-Passive – Does not initiate DHCHAP authentication, but will participate if connecting device initiates an authentication. Configured as:
interface fc1/1
fcsp auto-passive
Off – Does not participate at all in DHCHAP
By default, the links will not reauthenticate on a scheduled basis. You can enforce this by adding a value at the end of the fcsp [mode] command. Configured as:
interface fc1/1
fcsp auto-active [minutes]
Let’s configure MDS2 to force authentication, and let’s configure MDS1 to authenticate if capable, and once authenticated, reauthenticated every 2 minutes.
MDS1(config)# int fc1/1
MDS1(config-if)# fcsp auto-active 2
MDS2(config)# int fc1/1
MDS2(config-if)# fcsp on
6. Verify
Quick list of helpful show commands:
show fcsp interface fc1/1
show fcsp interface fc1/1 statistics
show fcsp interface fc1/1 wwn
show fcsp dhchap
show fcsp dhchap database
Here we can quickly see the authentication mode, timeout and status of FSCP on an interface
MDS1# show fcsp interface fc1/1
fc1/1:
fcsp authentication mode:SEC_MODE_AUTO_ACTIVE
reauthentication timeout (in minutes):2
Status:Successfully authenticated
Authenticated using local password database
Here we can see the same information, plus statistics. The failures are me playing around and learning order of operations (steps at the top of this post)
MDS1# show fcsp interface fc1/1 statistics
fc1/1:
fcsp authentication mode:SEC_MODE_AUTO_ACTIVE
reauthentication timeout (in minutes):2
Status:Successfully authenticated
Authenticated using local password database
Statistics:
FC-SP Authentication Succeeded:19
FC-SP Authentication Failed:3
FC-SP Authentication Bypassed:0
FC-SP ESP SPI Mismatched frames:0
FC-SP ESP Auth failed frames:0
This is the same show command, now showing us the remote MDS’s WWN
MDS1# show fcsp interface fc1/1 wwn
fc1/1:
fcsp authentication mode:SEC_MODE_AUTO_ACTIVE
reauthentication timeout (in minutes):2
Status:Successfully authenticated
Authenticated using local password database
Other device's WWN:20:00:00:0d:ec:27:4f:40
Here we can see the hash and Diffie-Hellman groups IDs we’re using:
MDS1# show fcsp dhchap
Supported Hash algorithms (in order of preference):
DHCHAP_HASH_MD5
Supported Diffie Hellman group ids(in order of preference):
DHCHAP_GROUP_2048
DHCHAP_GROUP_1280
Viewing the DHCHAP database
MDS1# show fcsp dhchap database
DHCHAP Local Password:
Non-device specific password:******
Other Devices' Passwords:
Password for device with WWN:20:00:00:0d:ec:27:4f:40 is ******
Quick template
MDS1:
feature fcsp
fcsp dhchap password MDS1
fcsp dhchap devicename 20:00:00:0d:ec:27:4f:40 password MDS2
int fc1/1
fcsp on
MDS2:
feature fcsp
fcsp dhchap password MDS2
fcsp dhchap devicename 20:00:00:0d:ec:54:63:80 password MDS1
int fc1/1
fcsp on
! Optional !
fcsp dhchap hash md5
fcsp dhchap dhgroup 4 2
int fc1/1
fcsp auto-active | auto-passive [minutes]
Another great post sir!