|
|
HP-UX iSCSI Software Initiator Support Guide: HP-UX 11i v1 & 11i v2 > Chapter 4 ConfigurationChallenge-Handshake Authentication Protocol (CHAP) Configuration |
|
Challenge-Handshake Authentication Protocol (CHAP) is an authentication protocol that defines a methodology for authenticating initiators and targets. If you do not intend to use CHAP for authentication, this aspect of the iSCSI Software Intitator configuration is not necessary and can be ignored. The iSCSI Software Initiator has visible system administration interactions with the Challenge-Handshake Authentication Protocol (CHAP). The iSCSI Software Initiator running on HP-UX can use CHAP optionally, for authentication. The user is expected to understand the CHAP authentication method prior to its use. CHAP software is not part of the iSCSI Software Initiator. The configuration of a RADIUS server and CHAP configuration on an iSCSI Target, is beyond the scope of this document. However, the following documentation will help you to understand the CHAP protocol and the RADIUS server installation. Table 4-1 CHAP and RADIUS Server Documentation
Configure the AuthMethod key with "CHAP,None" as the value for all Targets: # iscsiutil -t authmethod CHAP None During the next login negotiation, the iSCSI Software Initiator proposes "CHAP,None" (in its order of preference) to the iSCSI target for the AuthMethod login key. The target MUST respond with the first value that it supports. The target is expected to respond to the initiator with "CHAP" for the AuthMethod login key (provided CHAP is configured properly on the target). If the target responds with "CHAP", CHAP will be chosen as the authentication method. If the target responds with "None", authentication will not be performed.
Two authentication options are available if CHAP is chosen as the authentication method:
The initiator authentication method and related attributes are configured using iscsiutil and stored persistently across reboots. The following examples illustrate configuration of CHAP once it has been selected as the authentication method that will be used. (1) Configure for the Uni-directional authentication method: # iscsiutil -u -H <chap-authentication-type> [-T <target-name>] [-I <ip-address>] [-P <tcp-port>] [-M <portal-grp-tag>] To configure Uni-directional authentication on a global basis:
To configure Uni-directional authentication for a particular Discovery Target Address:
To configure Uni-directional authentication for a particular Operational Target:
To configure Uni-directional authentication for a particular Operational Target Address:
(2) Configure the CHAP initiator username: # iscsiutil -u -N <chap-initiator-name> [-T <target-name>] [-I <ip-address>] [-P <tcp-port>] [-M <portal-grp-tag>] If the CHAP initiator name is not configured, the iSCSI initiator name will be used instead. To configure the CHAP initiator name on a global basis:
To configure the CHAP initiator username for a specific Discovery Target Address:
To configure the CHAP initiator username for a specific Operational Target:
To configure the CHAP initiator username for a specific Operational Target Address:
(3) Configure the initiator CHAP secret:
The secret can be entered in two forms, ASCII and hexadecimal. Note that in the hexadecimal form, the number of hex digits must be even. To configure the CHAP secret on a global basis:
or
To configure the CHAP secret for a specific Discovery Target Address:
To configure the CHAP secret for a particular Operational Target:
To configure the CHAP secret for a particular Operational Target Address:
(4) Verification of the configured parameters: To display authentication parameters common to all targets:
To display authentication parameters for all Discovery Targets:
To display authentication parameters for all Operational Targets:
To display authentication parameters for all Sessions:
To display authentication parameters for a particular Operational Target identified by its Target Name:
Among the various authentication parameters displayed by the verification commands described above, the parameters of interest for the "Uni-directional" CHAP method are:
(1) Configure the CHAP username and secret the same way as for the Uni-directional authentication method. (2) Configure the NAS and RADIUS server parameters. # iscsiutil -u -R <nas-hostname> <nas-secret> <radius-server-hostname> where: <nas-hostname> is the IP address or hostname of the Network Access Server (NAS). NAS operates as a client of a RADIUS server (this is the host that runs the iradd daemon). This IP address or hostname is embedded in the "Access Request" messages. The IP address may be different from the source IP address of the UDP packets sent by iradd. <nas-secret> is the secret for the iradd daemon. This secret must be configured as the NAS secret of iradd on the RADIUS server. It is used by iradd to authenticate the RADIUS server. <radius-server-hostname> is the IP address or hostname of the RADIUS server. (3) Configure for the Bi-directional authentication method as follows: # iscsiutil -u -H <chap-authentication-type> [-T <target-name>] [-I <ip-address>] [-P <tcp-port>] [-M <portal-grp-tag>] To configure Bi-directional authentication on a global basis:
To configure Bi-directional authentication for a particular Discovery Target Address:
To configure Bi-directional authentication for a particular Operational Target:
To configure Bi-directional authentication for a particular Operational Target Address:
(4) Verification of the configured parameters:
To display authentication parameters common to all targets:
To display authentication parameters for all Discovery Targets:
To display authentication parameters for all Operational Targets:
To display authentication parameters for all Sessions:
To display authentication parameters for a particular Operational Target identified by its Target Name:
Among the various authentication parameters displayed by the verification commands described above, the parameters of interest for the "Bi-directional" CHAP method are:
To start the iradd daemon: # iradd Once the iradd daemon has been started, the iradd daemon will be restarted automatically each time the system reboots.
|
|