Configuring CHAP Users
Challenge-Handshake Authentication Protocol (CHAP) validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This validation happens at the time of establishing the initial link and might happen again at any time. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server.
CHAP can be one-way or mutual. In one-way CHAP, the target (server) authenticates the initiator (Core). In mutual CHAP, the target authenticates the initiator and additionally the initiator authenticates the target.
You can configure CHAP users and passwords in the CHAP Users page. You will be using these CHAP credentials for authentication when you log in to the storage array from the Core.
To configure one-way CHAP
1. Choose Configure > Storage Array: CHAP Users to display the CHAP Users page.
2. Add new CHAP users using the controls described in this table.
Control | Description |
Add a CHAP User | Displays controls for adding a new CHAP user to the running configuration. |
CHAP Username | Specify a descriptive CHAP username or the IQN of the Core. |
Password/Confirm Password | Specify the password for the new CHAP user that you configured on the backend. |
Add CHAP User | Adds the new CHAP user to the running configuration. |
3. To modify an existing CHAP user configuration, click the username in the User table to expand a set of additional controls.
New CHAP users are enabled by default.
4. To disable a CHAP user:
– Click the username to expand the set of additional controls.
– Clear the Enable check box.
– Click Update CHAP User.
5. To remove an existing CHAP user configuration, click the trash icon in the Remove column.
To configure mutual CHAP
To configure mutual CHAP, you will create two CHAP users: one on the storage array and one on Core.
1. Set up a target secret on the storage array.
For more information, refer to the documentation that came with your storage array.
2. On Core, choose Configure > Storage Array: CHAP Users to display the CHAP Users page.
3. Click Add a CHAP User and create the first CHAP username.
For example, if you are using a NetApp storage array, you could specify chap_netapp as the username.
This username represents the CHAP user that the Core uses while connecting to the storage array.
4. In the Password field, specify the secret you created on the storage array in Step 1.
The Core uses these credentials to connect to the storage array.
5. Choose Configure > Storage Array: iSCSI, Initiators, MPIO to display the iSCSI Configuration page.
6. Select Enable Mutual CHAP Authentication in the iSCSI Initiator Configuration panel.
7. Click Add new Mutual CHAP User and create a second CHAP username and password.
For example, you could specify chap_core as the username.
The Core requires any storage array to provide these credentials before it can be authenticated.
8. On the storage array, enter the credentials you created in Step 7.
The storage array uses these credentials when replying to the Core as part of the authentication process.