Restricting Iscsi Initiator Authentication; Mutual Chap Authentication - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
To configure iSCSI users for local authentication, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Step 2
switch(config)# username iscsiuser
password ffsffsfsffs345353554535
iscsi

Restricting iSCSI Initiator Authentication

By default, the iSCSI initiator can use any user name in RADIUS or local database in authenticating
itself to the IPS module or MPS-14/2 module (the CHAP user name is independent of the iSCSI initiator
name). The IPS module or MPS-14/2 module allows the initiator to login as long as it provides a correct
response to the CHAP challenge sent by the switch. This can be a problem if one CHAP user name and
password had been compromised.
To restrict an initiator to use a specific user name for CHAP authentication, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Step 2
switch(config)# iscsi initiator
name iqn.1987-02.com.cisco.init
switch(config-iscsi-init)#
Step 3
switch(config-iscsi-init)#
username user1

Mutual CHAP Authentication

In addition to the IPS module or MPS-14/2 module authentication of the iSCSI initiator, the IPS module
or MPS-14/2 module also supports a mechanism for the iSCSI initiator to authenticate the Cisco MDS
switch's iSCSI target during the iSCSI login phase. This authentication requires the user to configure a
username and password for the switch to present to the iSCSI initiator. The provided password is used
to calculate a CHAP response to a CHAP challenge sent to the IPS port by the initiator.
To configure a global iSCSI target username and password to be used by the switch to authenticate itself
to an initiator, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Cisco MDS 9000 Family Configuration Guide
35-24
Purpose
Enters configuration mode.
Configures a user name (iscsiuser) and password
(ffsffsfsffs345353554535) in the local database for iSCSI
login authentication.
Purpose
Enters configuration mode.
Enters the configuration submode for the initiator
iqn.1987-02.com.cisco.init.
Restricts the initiator
iqn.1987-02.com.cisco.init
only authenticate using
user1
Be sure to define user1 as an iSCSI user in the local
Tip
AAA database or the RADIUS server.
Purpose
Enters configuration mode.
OL-6973-03, Cisco MDS SAN-OS Release 2.x
Chapter 35 Configuring iSCSI
to
as its CHAP username.