Selecting CHAP Authentication Method

ESXi supports unidirectional CHAP for all types of iSCSI/iSER initiators, and bidirectional CHAP for software and dependent hardware iSCSI, and for iSER.

Before configuring CHAP, check whether CHAP is enabled at the iSCSI storage system. Also, obtain information about the CHAP authentication method the system supports. If CHAP is enabled, configure it for your initiators, making sure that the CHAP authentication credentials match the credentials on the iSCSI storage.

ESXi supports the following CHAP authentication methods:

Unidirectional CHAP: In unidirectional CHAP authentication, the target authenticates the initiator, but the initiator does not authenticate the target.
Bidirectional CHAP: The bidirectional CHAP authentication adds an extra level of security. With this method, the initiator can also authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters, and for iSER adapters.

For software and dependent hardware iSCSI adapters, and for iSER adapters, you can set unidirectional CHAP and bidirectional CHAP for each adapter or at the target level. Independent hardware iSCSI supports CHAP only at the adapter level.

When you set the CHAP parameters, specify a security level for CHAP.

Note: When you specify the CHAP security level, how the storage array responds depends on the array’s CHAP implementation and is vendor-specific. For information on CHAP authentication behavior in different initiator and target configurations, consult the array documentation.

Table 1. CHAP Security Level
CHAP Security Level	Description	Supported Storage Adapters
None	The host does not use CHAP authentication. If authentication is enabled, use this option to disable it.	Independent hardware iSCSI Software iSCSI Dependent hardware iSCSI iSER
Use unidirectional CHAP if required by target	The host prefers a non-CHAP connection, but can use a CHAP connection if required by the target.	Software iSCSI Dependent hardware iSCSI iSER
Use unidirectional CHAP unless prohibited by target	The host prefers CHAP, but can use non-CHAP connections if the target does not support CHAP.	Independent hardware iSCSI Software iSCSI Dependent hardware iSCSI iSER
Use unidirectional CHAP	The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails.	Independent hardware iSCSI Software iSCSI Dependent hardware iSCSI iSER
Use bidirectional CHAP	The host and the target support bidirectional CHAP.	Software iSCSI Dependent hardware iSCSI iSER