Linux version, Atto macintosh chap restrictions, Recommended chap policies – HP EVA P6000 Storage User Manual
Page 132: Iscsi session types, The iscsi or iscsi/fcoe controller chap modes
Linux version
•
CHAP is supported with Linux open-iscsi Initiator and the iSCSI or iSCSI/FCoE modules.
•
CHAP setup with Linux iSCSI Initiator is not supported with the iSCSI or iSCSI/FCoE modules.
ATTO Macintosh Chap restrictions
The ATTO Macintosh iSCSI Initiator does not support CHAP at this time.
Recommended CHAP policies
•
The same CHAP secret should not be configured for authentication of multiple initiators or
multiple targets.
•
Any CHAP secret used for initiator authentication must not be configured for the authentication
of any target; and any CHAP secret used for target authentication must not be configured for
authentication of any initiator.
•
CHAP should be configured after the initial iSCSI Initiator/target login to validate initiator/target
connectivity. The first initiator/target login also creates a discovered iSCSI Initiator entry on
the iSCSI or iSCSI/FCoE modules that will be used in the CHAP setup.
iSCSI session types
iSCSI defines two types of sessions:
•
Discovery. SCSI discovery allows an initiator to find the targets to which it has access.
•
Normal operational session. A normal operational session is unrestricted.
CHAP is enforced on both the discovery and normal operational session.
The iSCSI or iSCSI/FCoE controller CHAP modes
The iSCSI or iSCSI/FCoE modules support two CHAP modes:
•
Single-direction. The target authenticates the identity of the initiator with the user-provided
CHAP secret. To enable single-direction CHAP, you need to enable CHAP for a specific initiator
record on the iSCSI or iSCSI/FCoE modules and input a corresponding CHAP secret from the
iSCSI host.
•
Bi-directional. The initiator and target authenticate identity of each other with the user-provided
CHAP secrets. To enable bi-directional CHAP for a discovery session, you need to provide a
CHAP secret for the initiator and for the iSCSI port for which you are performing discovery.
To enable bi-directional CHAP for a normal session, you will need to provide a CHAP secret
for the initiator and for the iSCSI-presented target that you are trying to log in to.
•
Once CHAP is enabled, it is enforced for both the normal and discovery sessions. You only
have the choice of what type (single or bi-directional) of CHAP to perform:
◦
Single-direction CHAP during discovery and during normal session
◦
Single-direction CHAP during discovery and bi-directional CHAP during normal session
◦
Bi-directional CHAP during discovery and single–direction CHAP during normal session
◦
Bi-directional CHAP during discovery and during normal session
Enabling single–direction CHAP during discovery and normal session
lists the parameters you use to enable single-direction CHAP.
132
iSCSI or iSCSI/FCoE configuration rules and guidelines