Challenge Handshake Authentication Protocol (CHAP) is a network login protocol that uses a challenge-response mechanism. You can use CHAP authentication to restrict iSCSI access to volumes and snapshots to hosts that supply the correct account name and password (or "secret") combination.
Using CHAP authentication can facilitate the management of access controls because it restricts access through account names and passwords, instead of IP addresses or iSCSI initiator names.
The iSCSI protocol supports two levels of CHAP authentication, initiator and target authentication, described as follows:
The target checks whether the supplied user name matches an entry in an access control record for the volume. See Managing Access Controls for Volumes and Snapshots for information on setting up access control records.
If a match exists, a check is performed to determine if the user name and password combination matches an entry in a CHAP database. If the supplied user name and password match a CHAP database entry, the host will be able to connect to the volume or snapshot.
You can implement a CHAP database in a group in the following ways:
On the group side, target authentication is always enabled, although you can modify the password and account name as needed. The iSCSI initiator settings determine whether the target authentication is enforced. See Configuring Target Authentication for more information.
Initiator authentication can be implemented without target authentication. However, target authentication can be implemented only if initiator authentication is also implemented. When used together, initiator and target authentication provide mutual authentication; that is, both the initiator and the target authenticate each other.