Skip to main content

iSCSI CHAP authentication

For additional security, iSCSI supports authentication using the Challenge Handshake Authentication Protocol (CHAP). There are two variations of iSCSI CHAP authentication: uni-directional and bi-directional, also referred to as mutual authentication.

StorONE configuration

Uni-directional authentication

Configure the Host for CHAP authentication on the appliance GUI/CLI

Host 🡪 Chap Secret

Bi-directional (mutual) authentication

Bi-directional CHAP adds another level of authentication. To use Bi-directional authentication first Uni-directional authentication is required.

To enable bi-directional (mutual) authentication, add CHAP secret also to the appliance on the GUI / CLI

    1. Nodes 🡪 CHAP

    2. Chap name, Chap Secret

Windows initiator configuration

Uni-directional authentication

In the Windows iSCSI initiator properties dialog:

  1. Select the StorONE target and click Connect

  2. In the Connect To Target dialog, select Advanced...

  3. Check the Enable CHAP log on box, and enter the host name (initiator IQN) and the target secret:

    The Target secret should be the same secret you configured on the StorONE system.
  4. If your StorONE system is a dual-node high availability (HA) system, repeat these steps for the other controller node target.

Bi-directional (mutual) authentication

In the Windows iSCSI Initiator Properties dialog:

  1. Open iSCSI initiator properties, choose CHAP
  2. Configure the initiator CHAP secret using the same secret as configured on the appliance GUI/CLI Node 🡪 CHAP dialogue
  3. Connect iSCSI Target
  4. Use advanced dialogue
  5. Enable CHAP log on and enter the Host Chap-name (initiator iqn) and Chap-secret. Check the Perform mutual authentication box.
  6. Perform this operation for both HA appliance nodes

ESXi initiator configuration using VMware vCenter

Uni-directional authentication

  1. Go to ESX-Host 🡪 Configure 🡪 Storage Adapters 🡪 iSCSI Software Adapter
  2. Use Dynamic Discovery 🡪 ADD
  3. On the Add Send Target Server pop-up windows, un-check the inherit authentication
  4. Enter the following in the detailed authentication pop-up windows:
    • Choose the Authentication Method – Use unidirectional CHAP
    • Check the Use initiator name checkbox to auto-fill the ESXi host IQN, and enter the Secret you configured on the StorONE system.

  5. Perform this operation for both HA appliance node targets.

Bi-directional (mutual) authentication

  1. Choose ESX-Host 🡪Configure 🡪 Storage Adapters 🡪 iSCSI Software Adapter
  2. Use Dynamic Discovery 🡪 ADD
  3. On the Add Send Target Server pop-up windows, un-check the inherit authentication
  4. Enter the following in the detailed authentication pop-up windows
    • Choose the Authentication Method – Use bidirectional CHAP
    • Check the Use initiator name checkbox to auto-fill the ESXi host IQN, and enter the Secret you configured on the StorONE system.
  5. On the Incoming CHAP Credentials section, specify the Name and Secret you configured on the StorONE system.
  6. Perform this operation for both HA appliance nodes.
No Comments
Back to top