- Preface
- Product Overview
- Installing Cisco Fabric Manager
- Fabric Manager Server
- Authentication in Fabric Manager
- Fabric Manager Client
- Device Manager
- Using Cisco Fabric Services
- Configuring Ethernet Interfaces
- Configuring Virtual Interfaces
- Configuring Fibre Channel Interfaces
- Configuring N-Port Virtualization
- Configuring Domain Parameters
- Configuring VSAN Trunking
- Configuring and Managing VSANs
- Configuring and Managing Zones
- Distributing Device Alias Services
- Configuring Fibre Channel Routing Services and Protocols
- Managing FLOGI, Name Server, FDMI, and RSCN Databases
- Configuring SPAN
- Discovering SCSI Targets
- Configuring SAN PortChannels
- Advanced Features and Concepts
- Configuring FC-SP and DHCHAP
- Configuring Port Security
- Configuring Fabric Binding
- Configuring Fabric Configuration Servers
- Configuring Port Tracking
- Network Monitoring
- Performance Manager
- Nexus 5000 Management Software FAQ
- Troubleshooting Your Fabric
- Index
Authentication in Fabric Manager
Fabric Manager contains interdependent software components that communicate with the switches in your fabric. These components use varying methods to authenticate to other components and switches. This chapter describes these authentication steps and the recommended authentication configuration for your fabric and components.
This chapter contains the following sections:
•Information About Fabric Manager Authentication
•Authenticating Performance Manager
•Authenticating Fabric Manager Web Server
Information About Fabric Manager Authentication
Fabric Manager contains multiple components that interact to manage a fabric.
This chapter includes the following sections:
•Fabric Manager Client
•Fabric Manager Server
•Performance Manager
•Interconnected fabric of Cisco SAN switches and storage devices
•AAA server (optional)
Figure 4-1 shows an example configuration for these components.
Figure 4-1 Fabric Manager Authentication Example
Administrators launch Fabric Manager Client and select the seed switch that is used to discover the fabric. The user name and password used are passed to Fabric Manager Server and are used to authenticate access to the seed switch. If this user name and password are not a recognized SNMP user name and password, either Fabric Manager Client or Fabric Manager Server opens a CLI session to the switch (SSH or Telnet) and retries the user name and password pair. If the user name and password are recognized by the switch in either the local switch authentication database or through a remote AAA server, then the switch creates a temporary SNMP user name that is used by Fabric Manager Client and server.
Note You may encounter a delay in authentication if you use a remote AAA server to authenticate Fabric Manager or Device Manager.
Note You must allow CLI sessions to pass through any firewall that exists between Fabric Manager Client and Fabric Manager Server. See the "Running Fabric Manager Behind a Firewall" section on page 2-19.
Note We recommend that you use the same password for the SNMPv3 user name authentication and privacy passwords as well as the matching CLI user name and password.
Discovering a Fabric
Fabric Manager Server monitors multiple physical fabrics under the same user interface. This facilitates managing redundant fabrics. A licensed Fabric Manager Server maintains up-to-date discovery information on all configured fabrics so that device status and interconnections are immediately available when you launch Fabric Manager Client.
We recommend that you use the steps described in the following sections for discovering your network and setting up Performance Manager. This procedure ensures that Fabric Manager Server has a complete view of the fabric. Subsequent Fabric Manager Client sessions can filter this complete view based on the privileges of the client logging in. For example, if you have multiple VSANs in your fabric and you create users that are limited to a subset of these VSANs, you want to initiate a fabric discovery through Fabric Manager Server using a network administrator or network operator role so that Fabric Manager Server has a view of all the VSANs in the fabric. When a VSAN-limited user launches Fabric Manager Client, that user sees only the VSANs they are allowed to manage.
Note Fabric Manager Server should always monitor fabrics using a local switch account. Do not use a AAA (RADIUS or TACACS+) server. You can use a AAA user account to log into the clients to provision fabric services. For more information on Fabric Manager Server fabric monitoring, see the "Managing a Fabric Manager Server Fabric" section on page 3-3.
Setting Up Discovery for a Fabric
To ensure that Fabric Manager Server discovers your complete fabric, perform this task:
Step 1 Create a special Fabric Manager administrative user name in each switch on your fabric with network administrator or network operator roles.
You can alternatively create a special Fabric Manager administrative user name in your AAA server and set every switch in your fabric to use this AAA server for authentication.
Step 2 Verify that the roles used by this Fabric Manager administrative user name are the same on all switches in the fabric and that this role has access to all VSANs.
Step 3 Launch Fabric Manager Client using the Fabric Manager administrative user.
This step ensures that your fabric discovery includes all VSANs.
Step 4 Set Fabric Manager Server to continuously monitor the fabric.
See the "Managing a Fabric Manager Server Fabric" section on page 3-3.
Step 5 Repeat Step 4 for each fabric that you want to manage through Fabric Manager Server.
Authenticating Performance Manager
Performance Manager uses the user name and password information stored in the Fabric Manager Server database. If this information changes on the switches in your fabric while Performance Manager is running, you need to update the Fabric Manager Server database and restart Performance Manager. Updating the Fabric Manager Server database requires removing the fabric from Fabric Manager Server and rediscovering the fabric.
To update the user name and password information used by Performance Manager, perform this task:
Step 1 Click Server > Admin in Fabric Manager.
You see the Control Panel dialog box with the Fabrics tab open, as shown in Figure 4-2.
Figure 4-2 Fabrics Tab in Control Panel Dialog Box
Step 2 Click the fabrics that have updated user name and password information.
Step 3 Click Remove to remove these fabrics from Fabric Manager Server.
Step 4 Choose File > Open Fabric.
You see the Control Panel dialog box as shown in Figure 4-3.
Figure 4-3 Control Panel Dialog Box
Step 5 Enter the appropriate user name and password to rediscover the fabric and check the check boxes in the Select column next to the fabrics that you want to open.
Step 6 Click Open to rediscover the fabric.
Fabric Manager Server updates its user name and password information.
Step 7 Repeat Step 4 through Step 6 for any fabric that you need to rediscover.
Step 8 Choose Performance > Collector > Restart to restart Performance Manager and use the new user name and password.
Authenticating Fabric Manager Web Server
Fabric Manager Web Server does not communicate directly with any switches in the fabric. Fabric Manager Web Server uses its own user name and password combination that is either stored locally or stored remotely on an AAA server.
We recommend that you use a RADIUS or TACACS+ server to authenticate users in Fabric Manager Web Server.
To configure Fabric Manager Web Server to use RADIUS authentication, perform this task:
Step 1 Launch Fabric Manager Web Server.
Step 2 Choose Admin tab > Web Users to update the authentication used by Fabric Manager Web Server.
Step 3 Click AAA.
Step 4 Set the authentication mode attribute to radius.
Step 5 Set the RADIUS server name, shared secret, authentication method, and ports used for up to three RADIUS servers.
Step 6 Click Modify to save this information.
To configure Fabric Manager Web Server to use TACACS+ authentication, perform this task:
Step 1 Launch Fabric Manager Web Server.
Step 2 Choose Admin > Web Users to update the authentication used by Fabric Manager Web Server.
Step 3 Click AAA.
Step 4 Set the authenticationmode attribute to tacacs.
Step 5 Set the TACACS+ server name, shared secret, authentication method, and port used for up to three TACACS+ servers.
Step 6 Click Modify to save this information.