Enforcing Access Control; Iscsi Session Authentication - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .

Enforcing Access Control

IPS modules and MPS-14/2 modules use both iSCSI and Fibre Channel zoning-based access control lists
to enforce access control. Access control is enforced both during the iSCSI discovery phase and the
iSCSI session creation phase. Access control enforcement is not required during IO phase because the
IPS module or MPS-14/2 module is responsible for the routing of iSCSI traffic to Fibre Channel.
•
•
The IPS module or MPS-14/2 module uses the Fibre Channel virtual N port of the iSCSI host and does
a zone-enforced name server query for the Fibre Channel target WWN. If the FCID is returned by the
name server, then the iSCSI session is accepted. Otherwise, the login request is rejected.

iSCSI Session Authentication

The IPS module or MPS-14/2 module supports iSCSI authentication mechanism to authenticate iSCSI
hosts that request access to storage. By default, IPS module or MPS-14/2 modules allow CHAP or None
authentication of iSCSI initiators. If authentication should always be used, you must configure the
switch to allow only CHAP authentication.
For CHAP username or secret validation you can use any method supported and allowed by the Cisco
MDS AAA infrastructure (see
authentication supports RADIUS, TACACS+, or local authentication device.
The aaa authentication iscsi command enables aaa authentication for the iSCSI host and specifies the
method to use.
Cisco MDS 9000 Family Configuration Guide
35-22
iSCSI discovery phase—When an iSCSI host creates an iSCSI discovery session and queries for all
iSCSI targets, the IPS module or MPS-14/2 module returns only the list of iSCSI targets this iSCSI
host is allowed to access based on the access control policies discussed in the previous section. The
IPS module or MPS-14/2 module does this by querying the Fibre Channel name server for all the
devices in the same zone as the initiator in all VSANs. It then filters out the devices that are initiator
by looking at the FC4-feature field of the FCNS entry. (If a device does not register as either initiator
or target in the FC4-feature field, the IPS module or MPS-14/2 module will advertise it). It then
responds to the iSCSI host with the list of targets. Each will have either a static iSCSI target name
that you configure or a dynamic iSCSI target name that the IPS module or MPS-14/2 module creates
for it (see the "Dynamic Mapping" section on page
iSCSI session creation—When an IP host initiates an iSCSI session, the IPS module or MPS-14/2
module verifies if the specified iSCSI target (in the session login request) is allowed by both the
access control mechanisms described in previous section.
If the iSCSI target is a static mapped target, the IPS module or MPS-14/2 module verifies if the
iSCSI host is allowed within the access list of the iSCSI target. If the IP host does not have access,
its login is rejected. If the iSCSI host is allowed, it validates if the virtual Fibre Channel N port used
by the iSCSI host and the Fibre Channel target mapped to the static iSCSI virtual target are in the
same Fibre Channel zone.
If the iSCSI target is an auto-generated iSCSI target, then the IPS module or MPS-14/2 module
extracts the WWN of the Fibre Channel target from the iSCSI target name and verifies if the initiator
and the Fibre Channel target is in the same Fibre Channel zone or not. If they are, then access is
allowed.
35-5).
Chapter 28, "Configuring RADIUS and
Chapter 35 Configuring iSCSI
TACACS+"). AAA
OL-6973-03, Cisco MDS SAN-OS Release 2.x