Skip to main content

iSCSI CHAP authentication

For additional security, iSCSI supports authentication using the Challenge Handshake Authentication Protocol (CHAP). There are two optionsvariations to configure and useof iSCSI CHAP authenticationauthentication: Uni-uni-directional and bi-directionaldirectional, also referred to as mutual authentication.

Appliance (Target)

StorONE configuration

Uni-directional authentication

Configure the Host for CHAP authentication on the appliance GUI/CLI

Host 🡪 Chap Secret

Bi-directional (mutual) authentication

Bi-directional CHAP adds another level of authentication. To use Bi-directional authentication first Uni-directional authentication is required.

To enable bi-directional (mutual) authentication, add CHAP secret also to the appliance on the GUI / CLI

    1. Nodes 🡪 CHAP

    1. Chap name, Chap Secret

Windows initiator configuration

Uni-directional authentication

Configure onIn the Windows iSCSI initiator properties dialog:

  1. Select the StorONE target and click Connect

  2. In the Connect iSCSITo Target dialog, select Advanced...

  • Check

    the
    1. Use advanced dialogue

    1. Enable CHAP log on
    2. Enterbox, and enter the Hosthost Chap-name (initiator iqn)IQN) and Chap-secret
      3. the
    target

    secret:


    The Target Secretsecret should be the same assecret you configured inon the GUI/CLIStorONE Host dialogue

      system.
    • If
        your
      1. PerformStorONE thissystem operationis a dual-node high availability (HA) system, repeat these steps for boththe HAother nodescontroller node target.

    Bi-directional (mutual) authentication

    Configure onIn the Windows initiatoriSCSI Initiator Properties dialog:

      1. Open iSCSI initiator properties, choose CHAP

      1. Configure the initiator CHAP secret using the same secret as configured on the appliance GUI/CLI Node 🡪 CHAP dialogue

      1. Connect iSCSI Target

      1. Use advanced dialogue

      1. Enable CHAP log on
      2. Enterand enter the Host Chap-name (initiator iqn) and Chap-secret
        3. secret.
      3. ChooseCheck the CHAP option - “Perform mutual authentication”authentication box.

      1. Perform this operation for both HA appliance nodes

    ESXi initiator configuration using VCenterVMware vCenter

    Uni-directional authentication

    1. ConfigureGo on the ESXi iSCSI initiator

    Chooseto ESX-Host 🡪 Configure 🡪 Storage Adapters 🡪 iSCSI Software Adapter

  • Use Dynamic Discovery 🡪 ADD

  • On the Add Send Target Server pop-up windows, un-check the inherit authentication


    1. Enter the following in the detailed authentication pop-up windows
      2. windows:

    • Choose the Authentication Method – Use unidirectional CHAP

      • Tick

    • Check the useUse initiator name checkbox to auto-fill the ESXi-ESXi host iqnIQN, and enter the secretSecret asyou definedconfigured on the applianceStorONE GUI/CLIsystem.

      • Host
    🡪 Chap secret dialogue

    1. Perform this operation for both HA appliance nodesnode targets.

    Bi-directional (mutual) authentication

    1. Configure on the ESXi iSCSI initiator

    Choose ESX-Host 🡪Configure 🡪 Storage Adapters 🡪 iSCSI Software Adapter

  • Use Dynamic Discovery 🡪 ADD

  • On the Add Send Target Server pop-up windows, un-check the inherit authentication


    1. Enter the following in the detailed authentication pop-up windows

    • Choose the Authentication Method – Use bidirectional CHAP

      • Tick

    • Check the useUse initiator name checkbox to auto-fill the ESXi-ESXi host iqnIQN, and enter the secretSecret as defined on the appliance GUI/CLI Host 🡪 Chap secret dialogue

      1. On the Incoming CHAP Credentials section,

      Name and Secret - use the nameyou configured on the applianceStorONE Nodesystem.

      • 🡪
  • On the Incoming CHAP dialogue

    Credentials

    section, specify the Name and Secret you configured on the StorONE system.

    1. Perform this operation for both HA appliance nodesnodes.
    • Back to top