iSCSI Security with CHAP

Posted on June 28, 2007

The first line of defense in iSCSI deployments is to properly define and bind targets to a target portal group (TPG) via a tag on the target (TPGT). ACL’s then provide yet more security by not only restricting how you get to the target, but which initiators are even allowed to connect to a given target.

Beyond that, you can use password authentication via CHAP to ensure only the persons you want connecting can. This can be useful in environments when ACL security isn’t sufficient and untrusted users have root access on a system capable of accessing the target.

Two forms of CHAP security are available:

  • Uni-directional Authentication: Enables the target to validate the initiator.
  • Bi-directional Authentication: Additionally enables the initiator to authenticate the target.

Configuring OpenSolaris iSCSI Initiators and Targets for CHAP is easy, but might be a bit counter intuitive at first. Practice makes perfect.

Before you begin, please remember that iSCSI CHAP passwords must be between 12 and 16 chars long. Spaces are fine, so “I Love iSCSI!!!!” is a valid password.

Here are the high level steps:

  1. Set a CHAP name and secret of your choosing on the initiator node (iscsiadm modify initiator-node)
  2. Set a CHAP name and secret of your choosing on the target node (iscsitadm modify admin)
  3. UNI-DIRECTIONAL: Create an initiator entry on the target node and map to target
  4. BI-DIRECTIONAL: Set target node CHAP name and secret as a target-param on initiator and enable Bi-Directional Auth (iscsiadm modify target-param)

Uni-Directional CHAP Authentication in Solaris

On the initiator:

  1. Optional Set the CHAP Name of the initiator if you want one other than the default (IQN of the initiator)
  2. Set the password (secret) for this initiator (use whatever you like)
  3. Enable CHAP authentication for the initiator
root@aeon ~$ iscsiadm modify initiator-node --CHAP-name aeon                      
root@aeon ~$ iscsiadm modify initiator-node --CHAP-secret        
Enter secret:
Re-enter secret:
root@aeon ~$ iscsiadm modify initiator-node --authentication CHAP

On the target:

  1. Set the global CHAP username for the Target Node (You must do this!)
  2. Set the global CHAP password for the Target Node
  3. Create an entry for the initiator
  4. Set the name of the initiator entry
  5. Set the password of the initiator entry
  6. Associate the initiator entry with a target
root@fisheye ~$ iscsitadm modify admin --chap-name fisheye
root@fisheye ~$ iscsitadm modify admin --chap-secret      
Enter secret:
Re-enter secret:

root@fisheye ~$ iscsitadm create initiator --iqn iqn.1986-03.com.sun:01:e00000000000.464d05f9 aeon
root@fisheye ~$ iscsitadm modify initiator --chap-name aeon aeon
root@fisheye ~$ iscsitadm modify initiator --chap-secret aeon
Enter secret:
Re-enter secret:
root@fisheye ~$ iscsitadm modify target --acl aeon fisheye/luns/lun0

Bi-Direction CHAP Authentication in Solaris

Bi-Directional auth is setup using all the steps above, followed by these steps on the initiator:

  1. Set the CHAP name of the target as a target-param
  2. Set the CHAP secret of the target as a target-param
  3. Enable bi-directional authentication on the target
root@aeon ~$ iscsiadm modify target-param --CHAP-name fisheye iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm modify target-param --CHAP-secret iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Enter secret:
Re-enter secret:
root@aeon ~$ iscsiadm modify target-param --bi-directional-authentication enable iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm list target-param -v iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Target: iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
        Alias: fisheye/luns/lun0
        Bi-directional Authentication: enabled
        Authentication Type: CHAP
                CHAP Name: fisheye
                ....

When Things Go Wrong…

Example of failed authentication (bad password in initiator entry on target node):

Jun 19 05:52:18 aeon iscsi: [ID 953209 kern.warning] WARNING: iscsi connection(157) login failed - login failed to authenticate with target
Jun 19 05:52:18 aeon iscsi: [ID 372941 kern.warning] WARNING: iscsi connection(157) login failed - Initiator could not be successfully authenticated. (0x02/0x01)

Example of error when target node CHAP name and secret not set:

Jun 19 05:19:37 aeon iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(54) login failed - authentication failed with target

A Word About RADIUS Support

RADIUS support is available in the Solaris Initiator and Target… but you still have to enable passwords like above and RADIUS is only for bi-directional auth. In other words, don’t bother. If you think setting up RADIUS (I suggest FreeRADIUS if you must) for your iSCSI deployment would be fun, trust me, just shoot yourself in the head and be done with it.