ESXi supports unidirectional CHAP for all types of iSCSI/iSER initiators, and bidirectional CHAP for software and dependent hardware iSCSI, and for iSER.

Before configuring CHAP, check whether CHAP is enabled at the iSCSI storage system. Also, obtain information about the CHAP authentication method the system supports. If CHAP is enabled, configure it for your initiators, making sure that the CHAP authentication credentials match the credentials on the iSCSI storage.

ESXi supports the following CHAP authentication methods:
Unidirectional CHAP
In unidirectional CHAP authentication, the target authenticates the initiator, but the initiator does not authenticate the target.
Bidirectional CHAP
The bidirectional CHAP authentication adds an extra level of security. With this method, the initiator can also authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters, and for iSER adapters.

For software and dependent hardware iSCSI adapters, and for iSER adapters, you can set unidirectional CHAP and bidirectional CHAP for each adapter or at the target level. Independent hardware iSCSI supports CHAP only at the adapter level.

When you set the CHAP parameters, specify a security level for CHAP.

Note: When you specify the CHAP security level, how the storage array responds depends on the array’s CHAP implementation and is vendor-specific. For information on CHAP authentication behavior in different initiator and target configurations, consult the array documentation.
Table 1. CHAP Security Level
CHAP Security Level Description Supported Storage Adapters
None The host does not use CHAP authentication. If authentication is enabled, use this option to disable it.

Independent hardware iSCSI

Software iSCSI

Dependent hardware iSCSI

iSER

Use unidirectional CHAP if required by target The host prefers a non-CHAP connection, but can use a CHAP connection if required by the target. Software iSCSI

Dependent hardware iSCSI

iSER

Use unidirectional CHAP unless prohibited by target The host prefers CHAP, but can use non-CHAP connections if the target does not support CHAP.

Independent hardware iSCSI

Software iSCSI

Dependent hardware iSCSI

iSER

Use unidirectional CHAP The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails.

Independent hardware iSCSI

Software iSCSI

Dependent hardware iSCSI

iSER

Use bidirectional CHAP The host and the target support bidirectional CHAP. Software iSCSI

Dependent hardware iSCSI

iSER