Configuring the FA authentication key on an interface

On the FA Server, you can configure an authentication key on an interface (port, static MLT or LACP MLT), to authenticate a client or proxy device on that interface. The authentication key is stored in encrypted form when you save configuration on the FA Server.

Before you begin

Ensure that:

  • On the FA Server, FA is enabled globally and also on the interface.

  • FA message authentication is enabled on the interface.

    Note

    Note

    By default, enabling FA enables message authentication. The authentication key is set to the default value and the system displays the encrypted authentication key on the output.

About this task

Use this procedure to configure an FA authentication key on a specified port or on all ports of an MLT, on the switch. If you do not configure an authentication key, the default value is used. If you specify a key, the default value is overridden and is stored in encrypted format in a separate file other than the configuration file, when you execute the save config command.

Caution

Caution

For an FA Client or an FA Proxy device to successfully authenticate and attach to the FA Server, the authentication key must match on both the client and the server. If the authentication key is changed on the FA Server switch, it must correspondingly be changed on the FA Client or Proxy attached to it, for FA to operate properly.

Procedure

  1. Enter Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]} or interface mlt <1-512>

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Configure the FA authentication key:

    fa authentication-key WORD<0-32>

  3. Optional: Configure the default FA authentication key:

    default fa authentication-key

Example

Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

Enable FA and message authentication on a port. Configure the authentication key phone-network on the port.

Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#fa enable
Switch:1(config-if)#fa message-authentication
Switch:1(config-mlt)#fa authentication-key phone-network
Switch:1(config-if)#exit
Switch:1(config)#

Enable FA and message authentication on an MLT. Configure the authentication key client-network on the MLT.

Switch:1(config)#interface mlt 10
Switch:1(config-mlt)#fa enable
Switch:1(config-mlt)#fa message-authentication
Switch:1(config-mlt)#fa authentication-key client-network

Verify configuration of the FA authentication key. The system displays the encrypted authentication key on the output.

Switch:1(config-if)#show fa interface  

===================================================================
                            Fabric Attach Interfaces
===================================================================
INTERFACE    SERVER   MGMT     MGMT     MSG AUTH MSG AUTH   ORIGIN     
             STATUS   ISID     CVID     STATUS   KEY          
-------------------------------------------------------------------
Port1/2      enabled  0        0        enabled  ****         
MLT10        enabled  0        0        enabled  ****         

-------------------------------------------------------------------
 2 out of 2 Total Num of fabric attach interfaces displayed
-------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the fa authentication-key command.

Variable

Value

WORD<0–32>

Specifies the authentication key on the port or MLT.