The first line of defense in iSCSI deployments is to properly define and bind targets to a target portal group (TPG) via a tag on the target (TPGT). ACL’s then provide yet more security by not only restricting how you get to the target, but which initiators are even allowed to connect to a given target.
Beyond that, you can use password authentication via CHAP to ensure only the persons you want connecting can. This can be useful in environments when ACL security isn’t sufficient and untrusted users have root access on a system capable of accessing the target.
Two forms of CHAP security are available:
- Uni-directional Authentication: Enables the target to validate the initiator.
- Bi-directional Authentication: Additionally enables the initiator to authenticate the target.
Configuring OpenSolaris iSCSI Initiators and Targets for CHAP is easy, but might be a bit counter intuitive at first. Practice makes perfect.
Before you begin, please remember that iSCSI CHAP passwords must be between 12 and 16 chars long. Spaces are fine, so “I Love iSCSI!!!!” is a valid password.
Here are the high level steps:
- Set a CHAP name and secret of your choosing on the initiator node (iscsiadm modify initiator-node)
- Set a CHAP name and secret of your choosing on the target node (iscsitadm modify admin)
- UNI-DIRECTIONAL: Create an initiator entry on the target node and map to target
- BI-DIRECTIONAL: Set target node CHAP name and secret as a target-param on initiator and enable Bi-Directional Auth (iscsiadm modify target-param)
Uni-Directional CHAP Authentication in Solaris
On the initiator:
- Optional Set the CHAP Name of the initiator if you want one other than the default (IQN of the initiator)
- Set the password (secret) for this initiator (use whatever you like)
- Enable CHAP authentication for the initiator
root@aeon ~$ iscsiadm modify initiator-node --CHAP-name aeon root@aeon ~$ iscsiadm modify initiator-node --CHAP-secret Enter secret: Re-enter secret: root@aeon ~$ iscsiadm modify initiator-node --authentication CHAP
On the target:
- Set the global CHAP username for the Target Node (You must do this!)
- Set the global CHAP password for the Target Node
- Create an entry for the initiator
- Set the name of the initiator entry
- Set the password of the initiator entry
- Associate the initiator entry with a target
root@fisheye ~$ iscsitadm modify admin --chap-name fisheye root@fisheye ~$ iscsitadm modify admin --chap-secret Enter secret: Re-enter secret: root@fisheye ~$ iscsitadm create initiator --iqn iqn.1986-03.com.sun:01:e00000000000.464d05f9 aeon root@fisheye ~$ iscsitadm modify initiator --chap-name aeon aeon root@fisheye ~$ iscsitadm modify initiator --chap-secret aeon Enter secret: Re-enter secret: root@fisheye ~$ iscsitadm modify target --acl aeon fisheye/luns/lun0
Bi-Direction CHAP Authentication in Solaris
Bi-Directional auth is setup using all the steps above, followed by these steps on the initiator:
- Set the CHAP name of the target as a target-param
- Set the CHAP secret of the target as a target-param
- Enable bi-directional authentication on the target
root@aeon ~$ iscsiadm modify target-param --CHAP-name fisheye iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm modify target-param --CHAP-secret iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Enter secret:
Re-enter secret:
root@aeon ~$ iscsiadm modify target-param --bi-directional-authentication enable iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm list target-param -v iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Target: iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Alias: fisheye/luns/lun0
Bi-directional Authentication: enabled
Authentication Type: CHAP
CHAP Name: fisheye
....
When Things Go Wrong…
Example of failed authentication (bad password in initiator entry on target node):
Jun 19 05:52:18 aeon iscsi: [ID 953209 kern.warning] WARNING: iscsi connection(157) login failed - login failed to authenticate with target Jun 19 05:52:18 aeon iscsi: [ID 372941 kern.warning] WARNING: iscsi connection(157) login failed - Initiator could not be successfully authenticated. (0x02/0x01)
Example of error when target node CHAP name and secret not set:
Jun 19 05:19:37 aeon iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(54) login failed - authentication failed with target
A Word About RADIUS Support
RADIUS support is available in the Solaris Initiator and Target… but you still have to enable passwords like above and RADIUS is only for bi-directional auth. In other words, don’t bother. If you think setting up RADIUS (I suggest FreeRADIUS if you must) for your iSCSI deployment would be fun, trust me, just shoot yourself in the head and be done with it.
Ever thought about the use of ipsec for host authentication?
G’day,
Have you had much exp using iscsi devices under vxvm?
pel: Yup… I’ll blog about that soonish.
andrew: VxVM is dead. ZFS all the way. Regardless, its easy enough I suppose, I can blog that up of you like.
Perfect timing Ben.
Might be worth pointing out the iqn you’re setting up is the initiator, aeons, IQN. But a lot clearer than the official docs (which use single character options in their command lines).
Wow, that was incoherent, even for me.
I meant that this line:
root@fisheye ~$ iscsitadm create initiator –iqn iqn.1986-03.com.sun:01:e00000000000.464d05f9 aeon
in the unidirectional method refers to aeons IQN.
G’day Ben,
I have had some issue’s in the past with iscsi and vxvm. In particular when shutting down a machine the network gets dropped before vxvm has dealt with its devices properly.
I have been using iscsi on linux since before the standard was ratified but have never rolled out iscsi & vxvm in production before.
Any blogs etc would be great!
ZFS: I hear you, unfortunately its just not available on all platforms yet
Keep up the good work. I have been using cuddletech for years and years!
4cc3ec97 79d422f2 21f ancor1|ancor2|ancor3|ancor4|ancor5 Only noblemen were permitted to hunt with [URL= http://google5.com.com ]ancor1ancor2ancor3ancor4ancor5[/URL] .
They are simply looking for a better http://google5.com.net rel=”nofollow”>ancor1ancor2ancor3ancor4ancor5 .
He got his first http://google5.com.org ancor1ancor2ancor3ancor4ancor5 free, he once told me.
Great Site – really useful information!
4cc3ec97 79d422f2 21f ancor1|ancor2|ancor3|ancor4|ancor5 This off course is all old news to those who knew of [URL= http://google3.com.com ]ancor1ancor2ancor3ancor4ancor5[/URL] .
He departed earth by way of a http://google3.com.net rel=”nofollow”>ancor1ancor2ancor3ancor4ancor5 of his won design, many years before his birth.
The form was looked proud with a ting of http://google3.com.org ancor1ancor2ancor3ancor4ancor5 wiki .
Your work is marvelous!!
shop zithromax welcome
teeny
The power of accurate observation is commonly called cynicism by those who have not got it.
http://allmednews.org/med/pills/paxil/ – paxil http://allmednews.org/med/pills/xanax/ – xanax
xanax
viagra
stromkern
lachiaccpast
http://index1.8shtuk.com rel=”nofollow”>kama sutra book
http://index1.eroint.com rel=”nofollow”>philly daily news paper for 12 31 05
n Een plaatje zegt alles, toch ? v Het volledige rapport is hier te vinden. Lees natuurlijk a de blogposting. c x
паркет 9e
http://index1.dwerts.com rel=”nofollow”>open alcoholic beverage las vegas http://index2.dwerts.com rel=”nofollow”>sherman oaks mall ca http://index3.dwerts.com rel=”nofollow”>brooklyn jewish temples http://index4.dwerts.com rel=”nofollow”>neveada drivers ed http://index5.dwerts.com rel=”nofollow”>pound cake mix recipe
http://index2.terewf.com rel=”nofollow”>kanye west work http://index3.terewf.com rel=”nofollow”>summerlands audition http://index1.terewf.com rel=”nofollow”>in what direction does the moon rise http://index4.terewf.com rel=”nofollow”>cia fact book south africa http://index5.terewf.com rel=”nofollow”>feel my horney feed my sting
http://index1.pereez.com rel=”nofollow”>highland towers birmingham http://index2.pereez.com rel=”nofollow”>st john the divine gift shop http://index3.pereez.com rel=”nofollow”>bright eyes party lyrics http://index4.pereez.com rel=”nofollow”>resdience inn hotels http://index5.pereez.com rel=”nofollow”>sleeping quotes
http://index1.akyort.com rel=”nofollow”>contractor tradesmen insurance coverage http://index2.akyort.com rel=”nofollow”>lasalle apartment ratings birmingham http://index3.akyort.com rel=”nofollow”>european time zones http://index4.akyort.com rel=”nofollow”>urinetown hope cladwell monologue http://index5.akyort.com rel=”nofollow”>james van der hooven loan to george washington
http://index1.soboye.com rel=”nofollow”>tennessee state board of nursing http://index2.soboye.com rel=”nofollow”>victoria mall victoria texas http://index3.soboye.com rel=”nofollow”>colors website for toddlers http://index4.soboye.com rel=”nofollow”>comcast spotlight and miami and interconnect http://index5.soboye.com rel=”nofollow”>medi save pharmacy
http://index3.doirep.com rel=”nofollow”>knso http://index4.doirep.com rel=”nofollow”>apa bibliography http://index5.doirep.com rel=”nofollow”>purchase confront weed killer http://index2.doirep.com rel=”nofollow”>personilize desk plate http://index1.doirep.com rel=”nofollow”>how to do an a project
Very interesting article: “iSCSI Security with CHAP”
Might be worth pointing out the iqn you’re setting up is the initiator, aeons, IQN. But a lot clearer than the official docs which use single character options in their command lines.
Just for the record,
it’s 2010 now, VxVM is still alive and ZFS is still not as stable.
*grin*
Many thanks to the author. It is incomprehensible to me now, but in general, http://www.gpscardvd.com the usefulness and significance is overwhelming.
we like wholesale gucci handbags
http://www.mbtshoeslatest.com
http://www.nikeairmaxshoe.com
we like wholesale gucci handbags
Doing homework means getting a complete and thorough knowledge about the market, its trends, its requirements, its pros and cons and a lot more other aspects.
http://www.idealhere.com
we like wholesale gucci handbags
Now beachbody begin! P90X Extreme Home Fitness System is the best choice for yourself when you want to have a strong but healthy body, the best place to begin is online shoping. Many Internet sites-such as http://www.p90x-buying.com, have competitive pricing($59.99) and free shipping as well. Even with the shipping cost, you could end up paying less than you would in a local store.
Now beachbody begin! P90X Extreme Home Fitness System is the best choice for yourself when you want to have a strong but healthy body, the best place to begin is online shoping. Many Internet sites-such as http://www.p90x-buying.com, have competitive pricing($59.99) and free shipping as well. Even with the shipping cost, you could end up paying less than you would in a local store.
http://www.jeans-edhardy.com” rel=”nofollow”>edhardy provides you the best and cheapest edhardy jeans. All the
products at http://www.jeans-edhardy.com are 100% high quality, competitive price, free shipping with best and timely
service, 100% satisfaction. Big discount for big order. Welcome to make your choose.
wholesale gucci clothing provides you the best and cheapest bags. All the products at http://www.gucci-buying.com are 100% high
quality, competitive price, free shipping with best and timely service, 100% satisfaction. Big discount for big order. Welcome to make your choose.