About DHCHAP Hash Algorithm
About DHCHAP Hash Algorithm
Cisco MDS switches support a default hash algorithm priority list of MD5 followed by SHA-1 for DHCHAP
authentication.
Tip
If you change the hash algorithm configuration, then change it globally for all switches in the fabric.
Caution
If AAA authentication for fcsp dhchap is enabled, the MD5 hash algorithm must be set if AAA authentication
uses RADIUS or TACACS+. This is because RADIUS and TACACS+ applications do not support other hash
algorithms.
Configuring the DHCHAP Hash Algorithm
To configure the hash algorithm, follow these steps:
Procedure
Step 1
switch# configure terminal
Enters configuration mode.
Step 2
switch(config)# fcsp dhchap hash sha1
Configures the use of only the SHA-1 hash algorithm.
Step 3
switch(config)# fcsp dhchap hash MD5
Configures the use of only the MD5 hash algorithm.
Step 4
switch(config)# fcsp dhchap hash md5 sha1
Defines the use of the default hash algorithm priority list of MD5 followed by SHA-1 for DHCHAP
authentication.
Step 5
switch(config)# no fcsp dhchap hash sha1
Reverts to the default priority list of the MD5 hash algorithm followed by the SHA-1 hash algorithm.
About DHCHAP Group Settings
FC-SP supports multiple DHCHAP groups. The allowed groups may be changed from the default list. The
list is configured in the order of highest to lowest priority to be used when negotiating with the FC-SP peer.
Each side compares the list of groups received with the local group list and the highest priority group is used.
Each group should be specified no more than once in the configuration command.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
216
Configuring FC-SP and DHCHAP