You are here: iSCSI target security > Authenticating initiators through CHAP > Displaying and configuring local CHAP accounts

(Previous Topic: About iSCSI target access controls)

Authenticating initiators through CHAP

CHAP is a network login protocol that uses a challenge-response mechanism. You can use CHAP to authenticate iSCSI initiators by specifying a CHAP user name in an access control record. To meet this condition, a computer must supply the user name and its password (or secret) in the iSCSI initiator configuration interface when logging in to the target.

Using CHAP for iSCSI authentication can help you manage access controls more efficiently because it restricts target access by using user names and passwords, instead of unique IP addresses or iSCSI initiator names.

Before you can use CHAP for initiator authentication, you must set up the CHAP accounts consisting of a user name and password (or secret). There are two options for accounts; you can use both options simultaneously in a group:

CHAP accounts in the group. Local CHAP accounts do not rely on any external system. You can create up to 100 local CHAP accounts. See Displaying local CHAP accounts.
CHAP accounts on an external RADIUS authentication server. Using a RADIUS server to manage CHAP accounts is beneficial if you are managing a large number of accounts. However, computer access to targets depends on the availability of the RADIUS server. See Using CHAP accounts on a RADIUS authentication server.

Note:  If you use CHAP for initiator authentication, you can also use target authentication for mutual authentication, which provides additional security. See Configuring target authentication.

Displaying local CHAP accounts

To display local CHAP accounts, click Group, then Group Configuration, and then the iSCSI tab.

Local CHAP Accounts Panel shows the data fields available in the Local CHAP Accounts panel.

Table: Local CHAP Accounts Panel

Column

Description

Shortcut

User Action

Local CHAP user

Name of the account.

None

Modifying a local CHAP account

Password

Password for the account.

Status

Indicates whether the account is enabled or disabled.

Account owner

Administrative account that created the CHAP user account.

To create a local CHAP account, see Creating a local CHAP account.

Creating a local CHAP account

To create a local CHAP account:

1. Click Group, then Group Configuration, and then the iSCSI tab. The Group Configuration – iSCSI window appears.
2. Optionally, in the iSCSI Authentication panel, select Consult locally defined CHAP accounts first. If selected, credentials that an iSCSI initiator supplies are checked against local CHAP accounts before external CHAP accounts on a RADIUS server.
3. In the Local CHAP Accounts panel, click Add.
4. In the Add CHAP Account dialog box:

Enter a CHAP user name and (optionally) a password. If you do not enter a password, the group automatically generates a password that is 16 ASCII characters in length.

Note:  For optimal security, passwords must contain at least 12 characters (preferably random). Individual iSCSI initiators have their own rules and restrictions for length and format. Consult your initiator documentation for details.

Select whether to enable the account. You must enable an account to use it for initiator authentication. You can later modify an account and enable or disable it.

Click OK.

5. In the Group iSCSI window, click Save all changes (Control+S).

After creating the CHAP account, you can create an access control record and use the CHAP user name in the record. See Configuring access control records.

If you want to enable target authentication (for mutual authentication), see Configuring target authentication.

Modifying a local CHAP account

1. Click Group, then Group Configuration, and then the iSCSI tab. The Group Configuration – iSCSI window appears.
2. Select the account name in the Local CHAP Accounts panel and click Modify.
3. Change the name or password or enable or disable the account, as needed.
4. Click OK.

Deleting a local CHAP account

1. Click Group, then Group Configuration, then the iSCSI tab. The Group Configuration – iSCSI window appears.
2. Select the account name in the Local CHAP Accounts panel.
3. Click Delete.

Using CHAP accounts on a RADIUS authentication server

To use a CHAP account on an external RADIUS authentication server for iSCSI initiator authentication:

1. Set up the RADIUS server and CHAP accounts. See the prerequisites in Using RADIUS authentication and accounting servers.

Recommendation:  The RADIUS server must be accessible to all the group members.

2. Click Group, then Group Configuration, and then the iSCSI tab. The Group Configuration – iSCSI window appears. See iSCSI Authentication Panel – RADIUS Authentication Fields.
3. In the iSCSI Authentication panel, select Enable RADIUS authentication for iSCSI initiators.
4. Optionally, select Consult locally defined CHAP accounts first.
5. If you have not already configured the group to use a RADIUS server, click RADIUS settings and add at least one RADIUS server. See the procedure in Using RADIUS authentication and accounting servers for adding RADIUS servers.
6. Click Save all changes.

After creating the CHAP account, create an access control record for a volume and specify the CHAP user name in the record. See Configuring access control records.

Table: iSCSI Authentication Panel – RADIUS Authentication Fields

Field

Description

Shortcut

User Action

Enable RADIUS authentication for iSCSI initiators

Enables RADIUS authentication for iSCSI initiators.

Alt+E

None

Consult locally defined CHAP accounts first

Consults locally defined CHAP accounts before using RADIUS authentication.

Alt+C

Creating a local CHAP account

RADIUS settings

Launches the RADIUS settings dialog, which specifies RADIUS authentication and accounting servers.

Alt+D

Modifying RADIUS server settings

If you want to enable target authentication (for mutual authentication), see Configuring target authentication.

Configuring target authentication

If you configure initiator authentication though a local CHAP account or a CHAP account on a RADIUS authentication server, you can also allow the iSCSI initiator to authenticate iSCSI targets in a PS Series group. The combination of initiator and target authentication is called mutual authentication and provides additional security.

With target authentication, when the initiator tries to connect to a target, the target supplies a user name and password to the initiator. The initiator compares the user name and password to mutual authentication credentials that you configure in the initiator configuration interface. The iSCSI connection succeeds only if the information matches.

A group automatically enables target authentication using a default user name and password, which you can change. Whether the initiator requires target authentication depends on the initiator configuration settings.

To display the current target authentication user name and password, click Group, then Group Configuration, and then the iSCSI tab. The Group Configuration – iSCSI window appears.

iSCSI Authentication Panel – Target Authentication Fields shows the data fields available in the iSCSI Authentication panel. You can modify the information if required.

Table: iSCSI Authentication Panel – Target Authentication Fields

Field

Description

Shortcut

User Action

User name

Sets the user name for iSCSI target authentication

Alt+M

None

Password

Sets the password for iSCSI target authentication Passwords must include at least 12 ASCII characters.

Alt+M

To change the target authentication user name or password:

1. Click Modify and change the user name or password.
2. Enter the target authentication user name and password from Step 2 in the iSCSI initiator configuration interface, where you enable mutual authentication.

(Next Topic: About iSNS servers)

 


Copyright 2010 Dell Inc.