Using CHAP to Control iSCSI Access to Volumes

Challenge Handshake Authentication Protocol (CHAP) is a network login protocol that uses a challenge-response mechanism. You can use CHAP authentication to restrict iSCSI access to volumes and snapshots to hosts that supply the correct account name and password (or "secret") combination.

Using CHAP authentication can facilitate the management of access controls because it restricts access through account names and passwords, instead of IP addresses or iSCSI initiator names.

The iSCSI protocol supports two levels of CHAP authentication, initiator and target authentication, described as follows:

Initiator authentication can be implemented without target authentication. However, target authentication can be implemented only if initiator authentication is also implemented. When used together, initiator and target authentication provide mutual authentication; that is, both the initiator and the target authenticate each other.