beautypg.com

Assigning identity credentials – SANRAD I3.1.1205 User Manual

Page 139

background image

Chapter 7: Volume Exposure and Security

7-21

Assigning Identity Credentials

If you are working in

a V-Switch cluster,

the identity

authentication

method(s) must be

added on both V-

Switches.

You can require initiator authentication before allowing access to a target
and its underlying volume(s). The V-Switch supports CHAP and SRP
authentication methods. Microsoft and Cisco initiators support CHAP.
Use the CLI command acl identity add chap/srp to assign a login
authentication method(s) to initiators in an identity.

An assigned authentication method encrypts the host login name and
password. The authentication method does not encrypt the virtual
volume data transferred. The host login and password do not have to
relate to the iSCSI initiator WWUI. They can be any selected character
strings.

In the event of a

failover, if each

identity does not

require

authentication on

both V-Switches,

each attached

identity will have free

access to the target’s

underlying volumes.

If you are working with a Microsoft initiator and configuring target
authentication, note that the V-Switch exchanges the final character in the
password with a zero. Therefore, do not configure initiator passwords
with a zero as the final character. CHAP passwords must be between
twelve to sixteen characters in length.

acl identity add chap

You need to define four parameters to assign the CHAP/SRP
authentication method to an identity:

S

WITCH

P

ARAMETER

D

EFINITION

S

TATUS

E

XAMPLE

-id

IDENTITY

ALIAS OF

I

DENTITY

MANDATORY

accounting

-us

USER NAME

INITIATOR USER
NAME

MANDATORY

steven

-pw

USER PASSWORD

INITIATOR
PASSWORD

MANDATORY
UNLESS A

RADIUS

SERVER IS USED

12-16

CHAR

STRING

oneveryhot
dude

-radius

RADIUS RADIUS

SERVER

OPTIONAL

DEFAULT

:

NO

No parameter
required