Hardware manual

ManualsBrandsDell ManualsComputer equipment6 series

Group Administration iSCSI target security

8–2

Authenticating initiators through CHAP

CHAP is a network login protocol that uses a challenge-response mechanism. You can use CHAP to authenticate

iSCSI initiators by specifying a CHAP user name in an access control record. To meet this condition, a computer

must supply the user name and its password (or “secret”) in the iSCSI initiator configuration interface when

logging in to the target.

Using CHAP for iSCSI authentication can help you manage ac

cess

controls more efficiently because it restricts

target access by using user names and passwords, instead of unique IP addresses or iSCSI initiator names.

Before you can use CHAP for initiator authentication, you must set up the CHAP accounts consi

sting of a user

name and password (or “secret”). There are two options for accounts; you can use both options simultaneously in a

group:

• CHAP accounts in the group. Local CHAP accounts do not rely on any e

xternal system. You can create up to

100 local CHAP accounts. See Displaying local CHAP accounts on pag

e 8-2.

• CHAP accounts on an external RADIUS authentication server

. Using a RADIUS server to manage CHAP

accounts is beneficial if you are managing a large number of accounts. However, computer access to targets

depends on the availability of the RADIUS server. See Using CHAP accounts on a RADIUS authentication

server on page 8-3.

Note: If you use CHAP for initiator authentication, you can also use ta

rget authentication for mutual

authentication, which provides additional security. See Configuring target authentication.

Displaying local CHAP accounts

To display local CHAP accounts, click Group, then Group Configuration, and then the iSCSI tab.

The Local CHAP accounts panel provides information about the account credentials, acc

ount status, and the related

administration account. See the online help for information about the data fields and options.

Creating a local CHAP account

To create a local CHAP account:

1. Click

Group, then Group Configuration, and then the iSCSI tab. The Group Configuration – iSCSI

window appears.

2. Optionally, in the iSCSI Authentication panel, se

lect Consult locally defined CHAP accounts

first

. If selected, credentials that an iSCSI initiator supplies are checked against local CHAP accounts before

external CHAP accounts on a RADIUS server.

3. In the Local CHAP Accounts panel, click

Add.

4. In the Add CHAP Account dialog box:

• Enter a CHAP user name and (optionally) a password. If you do not enter a password, the group

automatically generate

s a password that is 16 ASCII characters in length.