Challenge-Handshake Authentication Protocol (CHAP) is an authentication
protocol that defines a methodology for authenticating initiators
and targets. If you do not intend to use CHAP for authentication, this
aspect of the iSCSI Software Intitator configuration is not necessary
and can be ignored.
The iSCSI Software Initiator has visible system administration
interactions with the Challenge-Handshake Authentication Protocol
(CHAP). The iSCSI Software Initiator running on HP-UX can use CHAP
optionally, for authentication. The user is expected to understand
the CHAP authentication method prior to its use. CHAP software
is not part of the iSCSI Software Initiator.
The configuration of a RADIUS server and CHAP configuration
on an iSCSI Target, is beyond the scope of this document. However,
the following documentation will help you to understand the CHAP
protocol and the RADIUS server installation.
Table 4-1 CHAP and RADIUS Server Documentation
| Description | url |
|---|
| CHAP information (RFC 1994) | http://www.ietf.org/rfc/rfc1994.txt |
| RADIUS server documentation information (RFC
2865) | http://www.ietf.org/rfc/rfc2865.txt |
| RADIUS server installation information | http://www.software.hp.com
- click
on “security and manageability”
-
click on “HP-UX aaa server” |
 |
| |
|
 | NOTE: CHAP is currently the only authentication method supported
by the iSCSI Software Initiator. |
|
| |
|
Configure the AuthMethod key with "CHAP,None" as the value for all Targets:
# iscsiutil -t authmethod CHAP None
During the next login negotiation, the iSCSI Software Initiator
proposes "CHAP,None" (in its order of preference) to the iSCSI target for
the AuthMethod login key.
The target MUST respond with the first value that it supports.
The target is expected to respond to the initiator with "CHAP" for the AuthMethod login key (provided CHAP is configured properly
on the target). If the target responds with "CHAP", CHAP will be chosen as the authentication method.
If the target responds with "None", authentication will not be performed.
|
| |
|
| NOTE: Currently, AuthMethod is one of the three iSCSI login keys that may
be configured by the user on a per target basis. The default value
for AuthMethod is “None”. If you want to configure AuthMethod on a per target basis, see “Authentication
Method Configuration Examples”. |
|
| |
|
Two authentication options are available if CHAP is chosen
as the authentication method:
Uni-directional CHAP method:
The target uses CHAP to authenticate the initiator.
The initiator does not authenticate the target.
The Uni-directional CHAP method does not require the use of
the iradd daemon (iSCSI CHAP daemon). It also does not require
configuration of a RADIUS server on the host (initiator) side.
The default CHAP method is Uni-directional.
Bi-directional CHAP method:
The target uses CHAP to authenticate the initiator.
The initiator uses CHAP to authenticate the target.
The Bi-directional CHAP method requires the use of the iradd daemon (iSCSI CHAP daemon), as well as the configuration
of a RADIUS server on the host (initiator) side.
The initiator authentication method and related attributes
are configured using iscsiutil and stored persistently across reboots.
Configuring
CHAP Authentication Uni-directional |
|
The following examples illustrate configuration of CHAP once
it has been selected as the authentication method that will be used.
(1) Configure for the Uni-directional
authentication method:
# iscsiutil -u -H <chap-authentication-type> [-T <target-name>] [-I <ip-address>] [-P <tcp-port>] [-M <portal-grp-tag>]
To configure Uni-directional authentication on a global basis:
# iscsiutil -u -H CHAP_UNI |
To configure Uni-directional authentication for a particular
Discovery Target Address:
# iscsiutil -u -H CHAP_UNI -I 192.1.1.10 -M 3 |
To configure Uni-directional authentication for a particular
Operational Target:
# iscsiutil -u -H CHAP_UNI -T iqn.2003-11.com.hp.stor:iSCSI |
To configure Uni-directional authentication for a particular
Operational Target Address:
# iscsiutil -u -H CHAP_UNI -T iqn.2003-11.com.hp.stor:iSCSI -I 192.1.1.1 -P 5000 -M 1 |
(2) Configure the CHAP initiator username:
# iscsiutil -u -N <chap-initiator-name> [-T <target-name>] [-I <ip-address>] [-P <tcp-port>] [-M <portal-grp-tag>]
If the CHAP initiator name is not configured, the iSCSI initiator
name will be used instead.
To configure the CHAP initiator name on a global basis:
# iscsiutil -u -N mychapusername |
To configure the CHAP initiator username for a specific Discovery
Target Address:
# iscsiutil -u -N mychapusername -I 192.1.1.25 -M 2 |
To configure the CHAP initiator username for a specific Operational
Target:
# iscsiutil -u -N mychapusername -T iqn.2003-11.com.hp.stor:iSCSI |
To configure the CHAP initiator username for a specific Operational
Target Address:
# iscsiutil -u -N mychapusername -T iqn.2003-11.com.hp.stor:iSCSI -I 192.1.1.1 -P 5000 -M 1 |
(3) Configure the initiator CHAP secret:
# iscsiutil -u -W <chap-initiator-secret> [-T <target-name>] [-I <ip-address>] [-P <tcp-port>] [-M <portal-grp-tag>] |
The secret
can be entered in two forms, ASCII and hexadecimal. Note that in
the hexadecimal form, the number of hex digits must be even.
To configure the CHAP secret on a global basis:
# iscsiutil -u -W mychapsecret |
or
# iscsiutil -u -W 0xed345ba678dfffe54e35666fa2c3c3 |
To configure the CHAP secret for a specific Discovery Target
Address:
# iscsiutil -u -W mychapsecret -I 192.1.1.34 -M 1 |
To configure the CHAP secret for a particular Operational
Target:
# iscsiutil -u -W mychapsecret -T iqn.2003-11.com.hp.stor:iSCSI |
To configure the CHAP secret for a particular Operational Target Address:
# iscsiutil -u -W mychapsecret -T iqn.2003-11.com.hp.stor:iSCSI -I 192.1.1.1 -P 5000 -M 1 |
(4) Verification of the configured
parameters:
To display authentication parameters common to all targets:
To display authentication parameters for all Discovery Targets:
To display authentication parameters for all Operational Targets:
To display authentication parameters for all Sessions:
To display authentication parameters for a particular Operational
Target identified by its Target Name:
# iscsiutil -p -T <target-name> |
|
| |
|
| NOTE: If authentication parameters are configured on a per
target basis, the parameters displayed by "iscsiutil -l" are overridden by the parameters displayed by
the other display commands. |
|
| |
|
Among the various authentication parameters displayed by the
verification commands described above, the parameters of interest
for the "Uni-directional" CHAP method are:
|
| |
|
| NOTE: CHAP Method is only valid if Authentication Method is set. The values displayed by the verification
commands for the Authentication Method parameters are the values proposed by the iSCSI
Software Initiator to the iSCSI target, in order of preference.
The target MUST respond with the first value that it supports. |
|
| |
|
Configuring
CHAP Authentication Bi-directional |
|
(1) Configure the CHAP username and
secret the same way as for the Uni-directional authentication method.
(2) Configure the NAS and RADIUS server
parameters.
# iscsiutil -u -R <nas-hostname> <nas-secret> <radius-server-hostname>
where:
<nas-hostname> is the IP address or hostname of the Network Access Server (NAS). NAS operates as a client of a RADIUS
server (this is the host that runs the iradd daemon). This IP address or hostname is embedded in the
"Access Request" messages. The IP address may be different from
the source IP address of the UDP packets sent by iradd.
<nas-secret> is the secret for the iradd daemon. This secret must be configured as the NAS secret
of iradd on the RADIUS server. It is used by iradd to authenticate the RADIUS server.
<radius-server-hostname> is the IP address or hostname of the RADIUS
server.
(3) Configure for the Bi-directional
authentication method as follows:
# iscsiutil -u -H <chap-authentication-type> [-T <target-name>] [-I <ip-address>] [-P <tcp-port>] [-M <portal-grp-tag>]
To configure Bi-directional authentication on a global basis:
# iscsiutil -u -H CHAP_BI |
To configure Bi-directional authentication for a particular
Discovery Target Address:
# iscsiutil -u -H CHAP_BI -I 192.1.1.10 -M 3 |
To configure Bi-directional authentication for a particular
Operational Target:
# iscsiutil -u -H CHAP_BI -T iqn.2003-11.com.hp.stor:iSCSI |
To configure Bi-directional authentication for a particular
Operational Target Address:
# iscsiutil -u -H CHAP_BI -T iqn.200-1.com.hp.stor:iSCSI -I 192.1.1.1 -P 5000 -M 1 |
(4) Verification of the configured
parameters:
|
| |
|
| NOTE: CHAP Method is only valid if Authentication Method is set. The values displayed by the verification
commands for the Authentication Method parameters are the values proposed by the iSCSI
Software Initiator to the iSCSI target, in order of preference.
The target MUST respond with the first value that it supports. |
|
| |
|
To display authentication parameters common to all targets:
To display authentication parameters for all Discovery Targets:
To display authentication parameters for all Operational Targets:
To display authentication parameters for all Sessions:
To display authentication parameters for a particular Operational
Target identified by its Target Name:
# iscsiutil -p -T <target-name> |
|
| |
|
| NOTE: If authentication parameters are configured on a per
target basis, the parameters displayed by "iscsiutil -l" are overridden by the parameters displayed by
the other display commands. |
|
| |
|
Among the various authentication parameters displayed by the
verification commands described above, the parameters of interest
for the "Bi-directional" CHAP method are:
