Skip to main content

Chap Authentication Configuration

There are two options to configure and use iSCSI CHAP authentication Uni-directional and bi-directional also referred as mutual authentication

Appliance (Target) configuration

Uni-directional authentication

Configure the Host for CHAP authentication on the appliance GUI/CLI

Host 🡪 Chap Secret

Bi-directional (mutual) authentication

Bi-directional CHAP adds another level of authentication. To use Bi-directional authentication first Uni-directional authentication is required.

To enable bi-directional (mutual) authentication, add CHAP secret also to the appliance on the GUI / CLI

    1. Nodes 🡪 CHAP

    1. Chap name, Chap Secret

Windows initiator configuration

Uni-directional authentication

Configure on the Windows iSCSI initiator

  1. Connect iSCSI Target

  1. Use advanced dialogue

  1. Enable CHAP log on
  2. Enter the Host Chap-name (initiator iqn) and Chap-secret

The Target Secret should be the same as configured in the GUI/CLI Host dialogue

    1. Perform this operation for both HA nodes

Bi-directional (mutual) authentication

Configure on the Windows initiator

    1. Open iSCSI initiator properties, choose CHAP

    1. Configure the initiator CHAP secret using the same secret as configured on the appliance GUI/CLI Node 🡪 CHAP dialogue

    1. Connect iSCSI Target

    1. Use advanced dialogue

    1. Enable CHAP log on
    2. Enter the Host Chap-name (initiator iqn) and Chap-secret
    3. Choose the CHAP option - “Perform mutual authentication”

    1. Perform this operation for both HA appliance nodes

ESXi initiator configuration using VCenter

Uni-directional authentication

  1. Configure on the ESXi iSCSI initiator

Choose ESX-Host 🡪Configure 🡪 Storage Adapters 🡪 iSCSI Software Adapter

Use Dynamic Discovery 🡪 ADD

On the Add Send Target Server pop-up windows, un-check the inherit authentication

  1. Enter the following in the detailed authentication pop-up windows

Choose the Authentication Method – Use unidirectional CHAP

Tick the use initiator name to fill the ESXi-host iqn and enter the secret as defined on the appliance GUI/CLI Host 🡪 Chap secret dialogue

  1. Perform this operation for both HA appliance nodes

Bi-directional (mutual) authentication

  1. Configure on the ESXi iSCSI initiator

Choose ESX-Host 🡪Configure 🡪 Storage Adapters 🡪 iSCSI Software Adapter

Use Dynamic Discovery 🡪 ADD

On the Add Send Target Server pop-up windows, un-check the inherit authentication

  1. Enter the following in the detailed authentication pop-up windows

Choose the Authentication Method – Use bidirectional CHAP

Tick the use initiator name to fill the ESXi-host iqn and enter the secret as defined on the appliance GUI/CLI Host 🡪 Chap secret dialogue

  1. On the Incoming CHAP Credentials section,

Name and Secret - use the name configured on the appliance Node 🡪 CHAP dialogue

  1. Perform this operation for both HA appliance nodes
Back to top