iSCSI Security with CHAP

28 June '07 - 04:54 by benr

The first line of defense in iSCSI deployments is to properly define and bind targets to a target portal group (TPG) via a tag on the target (TPGT). ACL's then provide yet more security by not only restricting how you get to the target, but which initiators are even allowed to connect to a given target.

Beyond that, you can use password authentication via CHAP to ensure only the persons you want connecting can. This can be useful in environments when ACL security isn't sufficient and untrusted users have root access on a system capable of accessing the target.

Two forms of CHAP security are available:

• Uni-directional Authentication: Enables the target to validate the initiator.
• Bi-directional Authentication: Additionally enables the initiator to authenticate the target.

Configuring OpenSolaris iSCSI Initiators and Targets for CHAP is easy, but might be a bit counter intuitive at first. Practice makes perfect.

Before you begin, please remember that iSCSI CHAP passwords must be between 12 and 16 chars long. Spaces are fine, so "I Love iSCSI!!!!" is a valid password.

Here are the high level steps:

1. Set a CHAP name and secret of your choosing on the initiator node (iscsiadm modify initiator-node)
2. Set a CHAP name and secret of your choosing on the target node (iscsitadm modify admin)
3. UNI-DIRECTIONAL: Create an initiator entry on the target node and map to target
4. BI-DIRECTIONAL: Set target node CHAP name and secret as a target-param on initiator and enable Bi-Directional Auth (iscsiadm modify target-param)

Uni-Directional CHAP Authentication in Solaris

On the initiator:

1. Optional Set the CHAP Name of the initiator if you want one other than the default (IQN of the initiator)
2. Set the password (secret) for this initiator (use whatever you like)
3. Enable CHAP authentication for the initiator

root@aeon ~$ iscsiadm modify initiator-node --CHAP-name aeon                      
root@aeon ~$ iscsiadm modify initiator-node --CHAP-secret        
Enter secret:
Re-enter secret:
root@aeon ~$ iscsiadm modify initiator-node --authentication CHAP

On the target:

1. Set the global CHAP username for the Target Node (You must do this!)
2. Set the global CHAP password for the Target Node
3. Create an entry for the initiator
4. Set the name of the initiator entry
5. Set the password of the initiator entry
6. Associate the initiator entry with a target

root@fisheye ~$ iscsitadm modify admin --chap-name fisheye
root@fisheye ~$ iscsitadm modify admin --chap-secret      
Enter secret:
Re-enter secret:

root@fisheye ~$ iscsitadm create initiator --iqn iqn.1986-03.com.sun:01:e00000000000.464d05f9 aeon
root@fisheye ~$ iscsitadm modify initiator --chap-name aeon aeon
root@fisheye ~$ iscsitadm modify initiator --chap-secret aeon
Enter secret:
Re-enter secret:
root@fisheye ~$ iscsitadm modify target --acl aeon fisheye/luns/lun0

Bi-Direction CHAP Authentication in Solaris

Bi-Directional auth is setup using all the steps above, followed by these steps on the initiator:

1. Set the CHAP name of the target as a target-param
2. Set the CHAP secret of the target as a target-param
3. Enable bi-directional authentication on the target

root@aeon ~$ iscsiadm modify target-param --CHAP-name fisheye iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm modify target-param --CHAP-secret iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Enter secret:
Re-enter secret:
root@aeon ~$ iscsiadm modify target-param --bi-directional-authentication enable iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm list target-param -v iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Target: iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
        Alias: fisheye/luns/lun0
        Bi-directional Authentication: enabled
        Authentication Type: CHAP
                CHAP Name: fisheye
                ....

When Things Go Wrong...

Example of failed authentication (bad password in initiator entry on target node):

Jun 19 05:52:18 aeon iscsi: [ID 953209 kern.warning] WARNING: iscsi connection(157) login failed - login failed to authenticate with target
Jun 19 05:52:18 aeon iscsi: [ID 372941 kern.warning] WARNING: iscsi connection(157) login failed - Initiator could not be successfully authenticated. (0x02/0x01)

Example of error when target node CHAP name and secret not set:

Jun 19 05:19:37 aeon iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(54) login failed - authentication failed with target

A Word About RADIUS Support

RADIUS support is available in the Solaris Initiator and Target... but you still have to enable passwords like above and RADIUS is only for bi-directional auth. In other words, don't bother. If you think setting up RADIUS (I suggest FreeRADIUS if you must) for your iSCSI deployment would be fun, trust me, just shoot yourself in the head and be done with it.

- - C O M M E N T S - -
Ever thought about the use of ipsec for host authentication?

pel (Email) - 28 June '07 - 16:10

G’day,

Have you had much exp using iscsi devices under vxvm?

andrew (Email) (URL) - 29 June '07 - 04:12

pel: Yup… I’ll blog about that soonish.

andrew: VxVM is dead. ZFS all the way. Regardless, its easy enough I suppose, I can blog that up of you like.

benr - 29 June '07 - 05:02

Perfect timing Ben.

Might be worth pointing out the iqn you’re setting up is the initiator, aeons, IQN. But a lot clearer than the official docs (which use single character options in their command lines).

Dick Davies (Email) (URL) - 29 June '07 - 10:42

Wow, that was incoherent, even for me.

I meant that this line:

root@fisheye ~$ iscsitadm create initiator—iqn iqn.1986-03.com.sun:01:e00000000000.464d05f9 aeon

in the unidirectional method refers to aeons IQN.

Dick Davies (Email) (URL) - 29 June '07 - 10:44

G’day Ben,

I have had some issue’s in the past with iscsi and vxvm. In particular when shutting down a machine the network gets dropped before vxvm has dealt with its devices properly.

I have been using iscsi on linux since before the standard was ratified but have never rolled out iscsi & vxvm in production before.

Any blogs etc would be great! :)

ZFS: I hear you, unfortunately its just not available on all platforms yet :)

Keep up the good work. I have been using cuddletech for years and years!

andrew (Email) (URL) - 29 June '07 - 20:40

4cc3ec97 79d422f2 21f ancor1|ancor2|ancor3|ancor4|ancor5 Only noblemen were permitted to hunt with [URL= [[http://google5.com.com]] ]ancor1ancor2ancor3ancor4ancor5[/URL] .
They are simply looking for a better ancor1ancor2ancor3ancor4ancor5 .
He got his first [[http://google5.com.org]] ancor1ancor2ancor3ancor4ancor5 free, he once told me.

Great Site – really useful information!

Joaquin (Email) (URL) - 13 May '08 - 14:27

4cc3ec97 79d422f2 21f ancor1|ancor2|ancor3|ancor4|ancor5 This off course is all old news to those who knew of [URL= [[http://google3.com.com]] ]ancor1ancor2ancor3ancor4ancor5[/URL] .
He departed earth by way of a ancor1ancor2ancor3ancor4ancor5 of his won design, many years before his birth.
The form was looked proud with a ting of [[http://google3.com.org]] ancor1ancor2ancor3ancor4ancor5 wiki .

Your work is marvelous!!

Sally (Email) (URL) - 13 May '08 - 14:29

shop zithromax welcome

zithromax (Email) (URL) - 15 May '08 - 10:28

teeny

teeny (Email) (URL) - 16 May '08 - 03:37

The power of accurate observation is commonly called cynicism by those who have not got it.
[[http://allmednews.org/med/pills/paxil/]] – paxil [[http://allmednews.org/med/pills/xanax/]] – xanax

Jules - 18 May '08 - 05:58

xanax

xanax (Email) (URL) - 20 May '08 - 13:34

viagra

viagra (Email) (URL) - 22 May '08 - 19:59

stromkern

stromkern (Email) (URL) - 25 May '08 - 23:20

If you do not wish to receive similar messages please inform us on it by mail ban.site[dog]gmail.com

Google (Email) (URL) - 07 July '08 - 15:37

lachiaccpast

c4tracn (Email) (URL) - 29 July '08 - 03:46

kama sutra book
philly daily news paper for 12 31 05

nanny_[!2] (Email) (URL) - 06 August '08 - 09:31

n Een plaatje zegt alles, toch ? v Het volledige rapport is hier te vinden. Lees natuurlijk a de blogposting. c x
паркет 9e

ламинат (Email) (URL) - 12 August '08 - 04:06

open alcoholic beverage las vegas sherman oaks mall ca brooklyn jewish temples neveada drivers ed pound cake mix recipe
kanye west work summerlands audition in what direction does the moon rise cia fact book south africa feel my horney feed my sting

nanny_[!2] (Email) (URL) - 11 October '08 - 20:10

galen medical group gtefederalcreditunion1 11&year1 1957&daily num button.x 20&daily num button.y 10 zales locations in u.s. pet store sign nion sport fun my first pogo stick located at
black female american poets ufos in the bible kark and comcast nflsalaries man with the golden gun

nanny_[!2] (Email) (URL) - 12 October '08 - 22:48

highland towers birmingham st john the divine gift shop bright eyes party lyrics resdience inn hotels sleeping quotes
contractor tradesmen insurance coverage lasalle apartment ratings birmingham european time zones urinetown hope cladwell monologue james van der hooven loan to george washington

nanny_[!2] (Email) (URL) - 13 October '08 - 13:00

tennessee state board of nursing victoria mall victoria texas colors website for toddlers comcast spotlight and miami and interconnect medi save pharmacy
knso apa bibliography purchase confront weed killer personilize desk plate how to do an a project

nanny_[!2] (Email) (URL) - 13 October '08 - 19:57

Very interesting article: “iSCSI Security with CHAP”

Emm (Email) (URL) - 23 January '09 - 18:05

Might be worth pointing out the iqn you’re setting up is the initiator, aeons, IQN. But a lot clearer than the official docs which use single character options in their command lines.

Chris (Email) (URL) - 10 May '09 - 07:06

Good post! Thanks for your information! ed hardy ed hardy ed hardy clothing ed hardy clothing ed hardy swimwear ed hardy swimwear ed hardy jeans ed hardy jeans ed hardy hoodies ed hardy hoodies ed hardy shoes ed hardy shoes ed hardy uk ed hardy uk ed hardy bags ed hardy bags ed hardy shirts ed hardy shirts christian audigier christian audigier ed hardy mens ed hardy mens ed hardy womens ed hardy womens ed hardy kids ed hardy kids ed hardy

ed hardy (Email) (URL) - 15 January '10 - 07:38

good post

abercrombie clothing (Email) (URL) - 22 January '10 - 08:34

Good post! Thanks for your information!

As Seen On TV (Email) (URL) - 27 January '10 - 06:43

Nothing is able to fulfill, as long as confidence. Everything is difficult at the beginning, is now at the beginning of the show that you have succeeded in half.

iphone (Email) (URL) - 29 January '10 - 07:54

Your article is very useful!Thank you for sharing.Nice post.

Tiffany Accessories (Email) (URL) - 08 February '10 - 08:46

Personal information

Name (required):

Email:

URL:

Remember your information?

Yes No

Comment

Your message (required):

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.