Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated links in the proper manner.

About CHAP Authentication

In computing, the Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity.

CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network. Thus, CHAP provides better security as compared to Password Authentication Protocol (PAP) which is vulnerable for both these reasons.
The below steps allow you to apply CHAP Authentication to iSCSI ACLs, improving the security of your SoftNAS volumes.

Setting up ACLs

  1. Set up iSCSI as per the documentation for SoftNAS v3.2.3 and higher.

  2. Use SSH to access the system

    ,

    and login as root.

  3. Perform the following commands:

    Code Block
    languagebash
    themeEclipse
    titleSetting up ACLs
    linenumberstrue
    targetcli
    
    cd /
    
    cd iscsi
  4. cd <iQN for iSCSI needing ACL's>
  5. ls
  6. cd
    
    cd <"iQN for iSCSI needing ACLs">
    cd tpg1/acls
  7. create <iQN for iSCSI Initiator, windows iSCSI Initiator Configure Tab>
  8. cd ../../
  9. ls
  10. cd /
  11. saveconfig
  12. exit
     
    
    create <"iQN for iSCSI Initiator, Windows iSCSI Initiator Configure Tab">
    cd /
    saveconfig
    exit


  •  You should now be able to see the ACL listed for iQN.
  •  Repeat the process as required for any other iQN's.
Note
Determine whether the portal needs to be reconfigured prior to moving beyond the above steps.


CHAP Authentication Setup

  1. Set up iSCSI as described in the documentation for SoftNAS v3.2.3 and higher.

  2. Use SSH to access the system, logging in as root. Perform the following commands:

  3. targetcli
  4. cd /
  5. cd iscsi
  6. cd <iQN for iSCSI Target>
  7. ls
  8. cd tpg1
  9. get attribute
    Code Block
    languagebash
    themeEclipse
    titleSetting up CHAP Authentication
    linenumberstrue
    targetcli
    cd /
    cd iscsi
    cd <"iQN for iSCSI Target">
    ls
    cd tpg1
    get attribute authentication


  10. At this point, authentication should be 0(zero) by default

    .

    :

    Code Block
    languagebash
    themeEclipse
    titleSetting Attribute Authentication
    linenumberstrue
    set attribute authentication=1
    
    get attribute authentication


  11. Confirm CHAP Authentication via the following commands

    .

    :

    Code Block
    languagebash
    themeEclipse
    titleConfirm CHAP Authentication
    linenumberstrue
    cd acls
    
    ls
    cd <ACL created
    
    cd <"ACL created earlier(iQN)">
    
    set userid=
    <for windows use iQN of initiator>
  12. set password=<Secret Target Password>
  13. set
    <"for Windows use iQN of initiator">
    set password=<"secret target password">
    set mutual_userid=
    <for
    <"for Mutual CHAP,
    target iQN>set
     target iQN">
    set mutual_password=
    <Secret CHAP Password>
  14. cd /
  15. saveconfig
  16. exit
  17. service
    <"secret CHAP password">
    cd /
    saveconfig
    exit
    service fcoe-target restart