08-10-2009 03:42 AM
All our switches are on Fabric OS v6.1.0. There is a need to manage the user accounts on all the SAN switches in a fabric from a single switch(new user creations or a password changed by a specific user is propagated to the remaining switches in the fabric instantly).
Due to some reasons, we do not want to use LDAP or radius for the user management. I think I can use the command
distribute -p PWD -d <switchlist> to propagate the user accounts from one switch in a fabric to remaining switches in the fabric and it also seems to be the easiest way.
But, my concern is ""when a new user account is added to the existing database from a switch and the database is then propagated to the other switches, this will replace the passwords of the existing users on the receiving switches to that of the current switch."" and at this point, all the users may not have the same passwords on all the switches in the fabric. This will lead to a confusion among the users.
Is there any other way..that I can use to get this done? i.e.,
1. Manage the user database from a single switch
2. Any password changes on one switch in a fabric is immidiately propagated to remaining switches, thus changing the password instantly on all the san switches in the fabric for the particular user?
3. I ve heard about FCS policies..but not able to find good information on its uses and how it enforce the policies.And is a reboot of a SAN switch required to create a FCS policy?
Any help would be appreciated.
08-11-2009 12:17 AM
due a security reason ( ths is my opinion but another story ), i don't have never used this Feature to distribute to all switch the same PW.
For this reason I have no experience thereby whith the PW distribution, but I think your must first according the Command Reference Guide Create / Add a Policy.
Please refer here the CLI Guide for the command's "setPolicyxxxx"
08-11-2009 08:49 AM
I would try to understand *why* you're being told to manage your switches in this fashion. The overhead of multiple account management across different switches is neither secure nor an efficient way to manage your switches securely. You can use RBAC and admin domains if you need to have different admins for a subset of switches w/in your fabrics but you're much better serviced by using a single point of account management. I've been in similar environments and sometimes you need to educate management and security officers ;-)
08-11-2009 09:48 AM
i wrote in my preview post "( ths is my opinion but another story )"
--->>>.... and sometimes you need to educate management and security officers ;-)
a this time, is not necessary to educate someone officers as you mentioned for the following reason:
This person, i am my self.
And I force here nobody to make which I say.
I have just only post a Aswer to a this threads w/o any obbligation.