Restricting Iscsi Initiator Authentication; Configuring Mutual Chap Authentication - Cisco MDS 9000 series Configuration Manual
Nx-os ip services multilayer switches
Hide thumbs
Also See for MDS 9000 series:
- Command reference manual (1464 pages) ,
- Configuration manual (344 pages) ,
- Troubleshooting manual (161 pages)
Table of Contents
Advertisement
Chapter 4
Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Restricting iSCSI Initiator Authentication
By default, the iSCSI initiator can use any user name in the RADIUS server or in the local database in
authenticating itself to the IPS module or MPS-14/2 module (the CHAP user name is independent of the
iSCSI initiator name). The IPS module or MPS-14/2 module allows the initiator to log in as long as it
provides a correct response to the CHAP challenge sent by the switch. This can be a problem if one
CHAP user name and password has been compromised.
To restrict an initiator to use a specific user name for CHAP authentication, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Step 2
switch(config)# iscsi initiator
name iqn.1987-02.com.cisco.init
switch(config-iscsi-init)#
Step 3
switch(config-iscsi-init)#
username user1
Configuring Mutual CHAP Authentication
In addition to the IPS module or MPS-14/2 module authentication of the iSCSI initiator, the IPS module
or MPS-14/2 module also supports a mechanism for the iSCSI initiator to authenticate the Cisco MDS
switch's iSCSI target during the iSCSI login phase. This authentication requires the user to configure a
user name and password for the switch to present to the iSCSI initiator. The provided password is used
to calculate a CHAP response to a CHAP challenge sent to the IPS port by the initiator.
To configure a global iSCSI target user name and password to be used by the switch to authenticate itself
to an initiator, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Step 2
switch(config)# iscsi authentication
username testuser password abc123
switch(config)# iscsi authentication
username user1 password 7
!@*asdsfsdfjh!@df
switch(config)# iscsi authentication
username user1 password 0 abcd12AAA
switch(config)# no iscsi
authentication username testuser
OL-19525-01,Cisco MDS NX-OS Release 4.2(1)
Purpose
Enters configuration mode.
Enters the configuration submode for the initiator
iqn.1987-02.com.cisco.init.
Restricts the initiator iqn.1987-02.com.cisco.init to only
authenticate using user1 as its CHAP user name.
Tip
Be sure to define user1 as an iSCSI user in the local
AAA database or the RADIUS server.
Purpose
Enters configuration mode.
Configures the switch user account (testuser) along with
a password (abc123) specified in clear text (default) for
all initiators. The password is limited to 128 characters.
Configures the switch user account (user1) along with
the encrypted password specified by 7
(!@*asdsfsdfjh!@df) for all initiators.
Configures the switch user account (user1) along with a
password (abcd12AAA) specified in clear text
(indicated by 0—default) for all initiators. The password
is limited to 128 characters.
Removes the global configuration for all initiators.
Cisco MDS 9000 Family NX-OS IP Services Configuration Guide
Configuring iSCSI
4-25
Advertisement
Table of Contents
