Authentication for Windows hosts
The system supports both unidirectional (one-way) and bidirectional (two-way) Challenge Handshake Authentication Protocol (CHAP) methods for Microsoft Windows host attachments.
Discovery sessions or normal sessions use unidirectional (one-way) CHAP authentication where the system authenticates the host iSCSI initiator. In a bidirectional (two-way) CHAP authentication, the system and the initiator authenticate each other.
Setting up authentication for discovery sessions for Windows hosts
You can set up authentication for discovery sessions for Microsoft Windows hosts at the same time that you are connecting to the system volumes. The CHAP authentication information is on the same Advanced Settings panel.
- From the Control Panel, select the iSCSI Initiator option.
- From the iSCSI Initiator Properties panel, click the Discovery tab.
- After you click the Discovery tab, click Add under
the Target Portals section to see the Add Target
Portal dialog box.Note: For Windows Server 2012, select Discover Portal and then enter the IP address under IP address or DNS name.
- Click Advanced... to see the Advanced Settings panel.
- Select CHAP logon information.Note: For Windows Server 2012, select Enable CHAP logon.
- Type in a value for the User name. The user name must be the same value that you set with the chhost CLI command (hostusername field) for this host.
- Type in a value for the Target secret. The target secret must be a value of 12 characters and is the same value that you set with the chhost command on the system for this host. Click OK.
- Select .
- Right-click the host to configure CHAP authentication and select Properties.
- On the Properties page, ensure that Show Details is selected and click Edit.
- In the iSCSI CHAP secret field, enter the CHAP secret that you use for the host.
- In the iSCSI user name field, enter the host user name that you use for the host. Click Save.
Setting up authentication for normal sessions for Windows hosts
You can set up authentication for normal sessions for Microsoft Windows hosts at the same time that you are connecting to a target or volume. The CHAP authentication information is on the same Advanced Settings panel.
- From the Control Panel, select the iSCSI Initiator option.
- From the iSCSI Initiator Properties panel, click the Discovery tab.
- After you click the Targets tab, click Log On...
under the Targets section to see the Log On to Target
panel.Note: For Windows Server 2012, highlight your target, select Connect, and then select Advanced from the pop-up screen.
- Click Advanced... to see the Advanced Settings panel.
- Select CHAP logon information.Note: For Windows Server 2012, select Enable CHAP logon.
- Type in a value for the User name. The user name must be the same value that you set with the chhost CLI command (hostusername field) for this host.
- Type in a value for the Target secret. The target secret must be a value of 12 characters and is the same value that you set with the chhost command on the system for this host. Click OK.
For tasks in the management GUI, refer to the Setting up authentication for discovery sessions for Windows hosts section.
Setting up bidirectional (two-way) authentication for Windows hosts
You can set up bidirectional (two-way) authentication for Microsoft Windows hosts.
Verify that you have a working unidirectional (one-way) authentication and that you configured a system iSCSI Challenge Handshake Authentication Protocol (CHAP) secret on the system.
- From the Control Panel, select the iSCSI Initiator option.
- From the iSCSI Initiator Properties panel, click the
General tab.Note: For Windows Server 2012, select Configuration.
-
Click Secret to see an iSCSI Initiator panel from which you can type your CHAP secret. Enter the system CHAP secret.Note: For Windows Server 2012, click CHAP... and then enter the system CHAP secret.Click OK.Notes:
- This setting applies to both the discovery session and normal session.
- The CHAP secrets for the system and the host initiator cannot be the same.
- To set up the bidirectional (two-way) authentication, repeat the previous steps, but in this instance, select Perform mutual authentication from the Advanced Settings panel.
- Select chhost. The storage_username can be found by lshost command. . The initiator username value must be storage_username and chap secret must match with what is configured with
- Select .
- On the iSCSI Configuration page, select Modify CHAP Configuration.
- On the Modify CHAP Configuration page, enter a storage_secret
and select Use for iSCSI-attached hosts. Click
Modify.Note: Before upgrading to 8.5.3.0, if the customer has configured two way chap authentication, they must first switch to one way chap and then back to two way chap once the upgrade is complete. This is required because
clustername
as a user name is not supported for two way chap secret in the earlier releases.