Description Creates groups, manages membership within the group, and manages the membership of groups in security sets.
IMPORTANT: This command is available only with the SANtegrity Enhanced PFE key.
Authority Admin session and a Security Edit session. See the Security command for information about starting a Security Edit session. The List, Members, Securitysets, and Type operands are available without an Admin session.
Syntax group
add [group]
copy [group_source] [group_destination] create [group] [type]
delete [group]
edit [group] [member] list
members [group]
remove [group] [member_list] rename [group_old] [group_new] securitysets [group]
type [group] Operands add [group]
Initiates an editing session in which to specify a group member and its attributes for the existing group given by [group]. ISL, Port, and MS member attributes are described in Table 6, Table 7, and Table 8 respectively. The group name and group type attributes are read-only fields common to all three tables.
Table 6 ISL Group member attributes
Attribute Description
Member WWN of the switch that would attach to the switch. A member cannot belong to more than one group.
Authentication Enables (CHAP) or disables (None) authentication using Challenge Handshake Authentication Protocol. The default is None.
Primary Hash The preferred hash function to use to decipher the encrypted Primary Secret sent by the ISL member. The hash functions are MD5 or SHA-1. If the ISL member does not support the Primary Hash, the switch will use the Secondary Hash.
Primary Secret Hexadecimal string that is encrypted by the Primary Hash for authentication with the ISL group member. The string has the following lengths, depending on the Primary Hash function:
• MD5 hash: 16-byte
Secondary Hash
Hash function to use to decipher the encrypted Secondary Secret sent by the ISL group member. Hash values are MD5 or SHA-1. The Secondary Hash is used when the Primary Hash is not available on the ISL group member. The Primary Hash and the Secondary Hash cannot be the same.
NOTE: Secondary Hash is not supported when connecting to other McDATA products.
Secondary Secret
Hex string that is encrypted by the Secondary Hash and sent for authentication. The string has the following lengths depending on the Secondary Hash function:
• MD5 hash: 16-byte
• SHA-1 hash: 20-byte
NOTE: Secondary Secret is not supported when connecting to other McDATA products.
Binding Domain ID of the switch to which to bind the ISL group member WWN. This option is available only if FabricBindingEnabled is set to True using the Set Config Security command. 0 (zero) specifies no binding.
Table 6 ISL Group member attributes (Continued)
Attribute Description
Table 7 Port Group member attributes
Attribute Description
Member WWPN for the N_Port device that would attach to the switch. A member cannot belong to more than one group.
Authentication Enables (CHAP) or disables (None) authentication using Challenge Handshake Authentication Protocol. The default is None.
Primary Hash The preferred hash function to use to decipher the encrypted Primary Secret sent by the Port group member. The hash functions are MD5 or SHA-1. If the Port group member does not support the Primary Hash, the switch will use the Secondary Hash.
Primary Secret Hexadecimal string that is encrypted by the Primary Hash for authentication with the Port group member. The string has the following lengths, depending on the Primary Hash function:
MD5 hash: 16-byte SHA-1 hash: 20-byte
Secondary Hash
Hash function to use to decipher the encrypted Secondary Secret sent by the Port group member. Hash values are MD5 or SHA-1. The Secondary Hash is used when the Primary Hash is not available on the Port group member. The Primary Hash and the Secondary Hash cannot be the same.
NOTE: Secondary Hash is not supported when connecting to other McDATA products.
Secondary Secret
Hex string that is encrypted by the Secondary Hash and sent for authentication. The string has the following lengths depending on the Secondary Hash function:
• MD5 hash: 16-byte
• SHA-1 hash: 20-byte
NOTE: Secondary Secret is not supported when connecting to other McDATA products.
Table 7 Port Group member attributes (Continued)
Attribute Description
Table 8 MS Group member attributes
Attribute Description
Member WWPN for the N_Port device that would attach to the switch
CTAuthentication Common Transport (CT) authentication. Enables (True) or disables (False) authentication for MS group members. The default is False.
Hash The hash function to use to decipher the encrypted Secret sent by the MS group member. Hash values are MD5 or SHA-1.
Secret Hexadecimal string that is encrypted by the Hash function for authentication with MS group members. The string has the following lengths depending on the Hash function:
MD5 hash: 16-byte SHA-1 hash: 20-byte
copy [group_source] [group_destination]
Creates a new group named [group_destination] and copies the membership into it from the group given by [group_source].
create [group] [type]
Creates a group with the name given by [group] with the type given by [type]. A group name must begin with a letter and be no longer than 64 characters. Valid characters are 0—9, A—Z, a—z, _, $, ^, and -. The security database supports a maximum of 16 groups. If you omit
[type], ISL is used. [type] can be one of the following:
ISL
Configures security for attachments to other switches.
edit [group] [member]
Initiates an editing session in which to change the attributes of a WWN given by [member] in a group given by [group]. Member attributes that can be changed are described in Table 9.
Table 9 Group member attributes
Attribute Description
Authentication (ISL and Port Groups)
Enables (CHAP) or disables (None) authentication using Challenge Handshake Authentication Protocol. The default is None.
CTAuthentication (MS Groups)
CT authentication. Enables (True) or disables (False) authentication for MS group members. The default is False.
Primary Hash (ISL and Port Groups)
The preferred hash function to use to decipher the encrypted Primary Secret sent by the member. The hash functions are MD5 or SHA-1. If the member does not support the Primary Hash, the switch will use the Secondary Hash. Hash
(MS Groups)
The hash function to use to decipher the encrypted Secret sent by the MS group member. Hash values are MD5 or SHA-1.
Primary Secret (ISL and Port Groups)
Hexadecimal string that is encrypted by the Primary Hash for authentication with the member. The string has the following lengths depending on the Primary Hash function:
MD5 hash: 16-byte SHA-1 hash: 20-byte Secondary Hash
(ISL and Port Groups)
Hash function to use to decipher the encrypted Secondary Secret sent by the group member. Hash values are MD5 or SHA-1. The Secondary Hash is used when the Primary Hash is not available on the group member. The Primary Hash and the Secondary Hash cannot be the same.
NOTE: Secondary Hash is not supported when connecting to other McDATA products.
Secondary Secret (ISL and Port Groups)
Hex string that is encrypted by the Secondary Hash and sent for authentication. The string has the following lengths, depending on the Secondary Hash function:
MD5 hash: 16-byte SHA-1 hash: 20-byte
NOTE: Secondary Secret is not supported when connecting to other McDATA products.
Secret (MS Groups)
Hexadecimal string that is encrypted by the Hash function for authentication with MS group members. The string has the following lengths, depending on the Hash function:
list
Displays a list of all groups and the security sets of which they are members. This operand is available without an Admin session.
members [group]
Displays all members of the group given by [group]. This operand is available without an Admin session.
remove [group] [member_list]
Remove the port/device WWN given by [member] from the group given by [group]. Use a <space> to delimit multiple member names in [member_list]
rename [group_old] [group_new]
Renames the group given by [group_old] to the group given by [group_new].
securitysets [group]
Displays the list of security sets of which the group given by [group] is a member. This operand is available without an Admin session.
type [group]
Displays the group type for the group given by [group]. This operand is available without an Admin session.
Notes Primary and secondary secrets are not included in a switch configuration backup. Therefore, after restoring a switch configuration, you must re-enter the primary and secondary secrets. Otherwise, the switch will isolate because of an authentication failure.
The secondary hash and secondary secret are not supported for connections to other McDATA products.
Refer to the Securityset commandfor information about managing groups in security sets.
Examples The following is an example of the Group Add command:
McDATA4GbSAN (admin-security) #> group add Group_1
A list of attributes with formatting and default values will follow
Enter a new value or simply press the ENTER key to accept the current value with exception of the Group Member WWN field which is mandatory.
If you wish to terminate this process before reaching the end of the list press 'q' or 'Q' and the ENTER key to do so.
Group Name Group_1 Group Type ISL
Member (WWN) [00:00:00:00:00:00:00:00]10:00:00:c0:dd:00:90:a3 Authentication (None / Chap) [None ]chap PrimaryHash (MD5 / SHA-1) [MD5 ] PrimarySecret (32 hex or 16 ASCII char value) [ ]0123456789abcdef SecondaryHash (MD5 / SHA-1 / None) [None ] SecondarySecret (40 hex or 20 ASCII char value) [ ] Binding (domain ID 97-127, 0=None) [0 ]
Finished configuring attributes.
The following is an example of the Group Edit command:
McDATA4GbSAN (admin-security) #> group edit G1 10:00:00:c0:dd:00:90:a3 A list of attributes with formatting and current values will follow. Enter a new value or simply press the ENTER key to accept the current value. If you wish to terminate this process before reaching the end of the list press 'q' or 'Q' and the ENTER key to do so.
Group Name g1 Group Type ISL
Group Member 10:00:00:c0:dd:00:90:a3
Authentication (None / Chap) [None] chap PrimaryHash (MD5 / SHA-1) [MD5 ] sha-1
PrimarySecret (40 hex or 20 ASCII char value) [ ] 1234567890123456789 SecondaryHash (MD5 / SHA-1 / None) [None] md5
SecondarySecret (32 hex or 16 ASCII char value) [ ] 1234567890123456 Binding (domain ID 97-127, 0=None) [3 ]
Finished configuring attributes.
To discard this configuration use the security cancel command.
The following is an example of the Group List command:
McDATA4GbSAN #> group list Group SecuritySet --- --- group1 (ISL) alpha group2 (Port) alpha
The following is an example of the Group Members command:
McDATA4GbSAN #> group members group1
Current list of members for Group: group1 ---
10:00:00:c0:dd:00:71:ed 10:00:00:c0:dd:00:72:45 10:00:00:c0:dd:00:90:ef 10:00:00:c0:dd:00:b8:b7
See also Security command, page 139 Securityset command, page 142