Skip to content

Authentication

Jump to bottom
Nareg Sinenian edited this page May 21, 2016 · 4 revisions

Authentication may be configured for either the initiator or both the target and initiator. Currently, the only supported authentication method is CHAP (including mutual CHAP).

CHAP Authentication

Targets may need to authenticate initiators that connect to them. The initiator supports CHAP authentication for this purpose, which requires a CHAP name and secret that is shared with the target. The initiator's CHAP name can be specified as follows:

$ iscsictl modify initiator-config -CHAP-name <name>

Similarly, the CHAP shared secret can be specified using:

$ iscsictl modify initiator-config -CHAP-secret

A command-line password prompt will appear that requires the user to enter and verify the shared secret. Once the CHAP name and secret have been set, the CHAP authentication mode can be enabled using the following command:

$ iscsictl modify initiator-config -authentication CHAP

Similarly, the authentication can be disabled using the following command:

$ iscsictl modify initiator-config -authentication None

The authentication method in use by the initiator can be verified by showing the initiator configuration:

$ iscsictl list initiator-config

Note that initiator authentication may not be utilized by the target even if it is enabled. It merely gives the target the option of using authentication if it so desires.

Mutual CHAP

Once CHAP is enabled for initiator authentication, mutual CHAP may be used so that the initiator can authenticate a given target. As in the case of simple CHAP authentication, the CHAP user can be specified for a particular target using the following command:

$ iscsictl modify target-config <target> -CHAP-name <name>

Similarly, the CHAP shared secret can be set using:

$ iscsictl modify target-config <target> -CHAP-secret

Once the user and secret have been set, mutual authentication can be enabled using:

$ iscsictl modify target-config <target> -authentication CHAP

Mutual CHAP will only be used if CHAP is also used for initiator authentication as described in the preceding section. The authentication method in use can be verified by showing the target configuration:

$ iscsictl list target-config <target>

Note that unlike initiator authentication, mutual CHAP authentication implies that the initiator must authenticate the target. If the target refuses then the initiator will terminate the session.

© 2015-2018 Nareg Sinenian, All rights reserved.

Introduction

Installation

Getting Started

Man pages

Troubleshooting

Clone this wiki locally