I am playing with my 7110 and am looking to add Chap Authentication to our iSCSI LUNs. However, I am obviously doing something silly as I am getting an authentication failure.
Could someone who has it working pop in with some advice?
I am using Microsoft's iSCSI initiator and have done the following
1. Set a Mutual Chap Secret in the Windows Machine (Secret number 1)
2. Set a target CHAP name and target Chap Secret on the 7110 (Secret number 2) (BTW - does the name have to be anything specific here?)
3. Setup an initiator on the 7110 for the windows machine. Entered the IQN for the chap name (Does this have to be anything specific?) Entered Secret Number 1 for the Chap Secret.
4. Used the Advanced tab to connect to the LUN. Checked the boxes for Chap Login information and Mutual authentication. Put Secret Number 2 in as the target secret.
I am hoping that I just have the wrong name or secret in somewhere but would be glad of any advice/help.
I'm going by memory here a bit so this is going to be a little bit off...
Once you've made the LUN on the S7000, go to protocols and remove 'Allow any initiator access' then manually add the IQN of your Windows machine that you want to connect to it. On the screen for adding the IQN you get an Initiator Alias (doesn't matter what this is, just something easy for you to remember like the client's hostname), IQN (whatever the Microsoft iSCSI connector says the client machine's IQN is), CHAP Name (name for this CHAP group or account), CHAP Secret (the shared password).
I'm running the old version of the MS initiator but at that point you should just give the MS initiator the same CHAP secret you gave the 7110 and tell it to look for LUNs on the 7110's hostname or IP address. You can do two-way CHAP where the 7110 authenticates the client and then the client authenticates the 7110, but that shouldn't be necessary.
You don't need to set the CHAP stuff under the iSCSI service configuration (at least I didn't) as you can do it on a per-initiator basis. Just make sure you give the 7110 and your Windows box the same CHAP secret and make sure the 7110 has the right client IQN and you should be sorted.
Presumably you can connect okay if you turn off CHAP and just use initiator security? Are you on the latest firmware release for the 7110?
I don't suppose you've got anything else that supports iSCSI like a Citrix XEN or VMware ESX/ESXi setup that you could try to connect with? I'm using iSCSI and CHAP but it's currently only with ESX servers rather than a Windows box.
What version of Windows and/or the MS iSCSI Initiator are you using?
I've just run through the following process, using the S7000 simulator and a windows2003 Enterprise edition server.
Set an Initiator.
Do this in the iscsi service configuration on the S7000.
Initiator Alias: This can be anything, but best to use a meaningful name such as the name of the windows server.
IQN: The IQN copied from the general tab on the windows iscsi tool.
CHAP name: This can be anything, I used 'SUNNAS'.
CHAP secret: This is the shared password.
Create a LUN.
In the protocol properties of the LUN untick inherit from project. The initiator we set up should be visible, tick the box next to it to allow it access.
Add the target portal, using the ip address or hostname of the S7000.
In the targets tab, select the target IQN of the LUN and click Logon.
Tick automatically restore and click advanced.
Tick CHAP authentication information.
In Username put the CHAP name we specified earlier, in this case SUNNAS.
In taget secret, put the secret we specified earlier.
Click 'ok' and 'ok' again and the lun should be connected.
I hope this is of help to you.
Last edited by Ricko; 4th September 2009 at 11:54 AM.
Ok - thanks for the replies - I have now got CHAP authentication working.
I have a horrible suspicion that I must have put the wrong password in one end or other as the proecures detailed here seem to be the same as what I was doing before. However, it has good to have the method confirmed as being correct so it was clear I was just mis-typing something.