System information
Table Of Contents
- Cover
- Preface
- Overview
- Configuring System Basics
- Configuring RADs and mSAN Connections
- Configuring iSAN Connections
- Configuring iSCSI Connections
- Monitoring SAN Router Operation and Connections
- Configuration, Firmware, and System Log Maintenance
- Troubleshooting
- Glossary
- Index
5
Configuring iSCSI Connections
5-25
Configuring iSCSI Authentication
Configuring iSCSI Authentication
SAN Routers support CHAP-based authentication of iSCSI initiators
in conjunction with an external RADIUS server.
Challenge Handshake Authentication Protocol (CHAP) provides a
type of authentication between an agent (typically a network server)
and the client program. Both share a predefined secret, which they
verify during an authentication login sequence.
The RADIUS protocol is used for access authentication and
accounting. The SAN Router supports a RADIUS client, which
connects to a configured RADIUS server to authenticate logins from
iSCSI initiators.
As part of the initial handshake between an initiator and the iSCSI
port in the SAN Router, an authentication protocol is negotiated
(either CHAP or none). If the protocol is CHAP, the SAN Router
sends some random data (the “challenge”) to the initiator. The
initiator returns the challenge, encoded with the initiator’s secret. The
SAN Router’s RADIUS client sends the encoded challenge to the
RADIUS server. The RADIUS server uses its copy of the initiator’s
secret to confirm that the challenge was properly encoded. The iSCSI
port sends an Accept or Reject to the iSCSI initiator based on the
authentication response from the RADIUS server.
You can configure up to two RADIUS servers per SAN Router to
authenticate iSCSI initiator logins. The primary RADIUS server is
contacted first and, if no response is received within a timeout
period, the secondary server is contacted.
The sample configuration in Figure 5-13 shows a SAN Router set up
to use an external RADIUS server to authenticate iSCSI initiators.