The IP networks that the iSCSI technology uses to connect your ESXi host to remote targets do not protect the data they transport. As a result, you must ensure security of the connection. One of the protocols that iSCSI implements is the Challenge Handshake Authentication Protocol (CHAP). The CHAP protocol verifies the legitimacy of ESXi initiators that access targets on the network.

CHAP uses a three-way handshake algorithm to verify the identity of your host and, if applicable, of the iSCSI target when the host and target establish a connection. The verification is based on a predefined private value, or CHAP secret, that the initiator and target share.

ESXi supports CHAP authentication at the adapter level. In this case, all targets receive the same CHAP name and secret from the iSCSI initiator. For software and dependent hardware iSCSI adapters, and for iSER adapters, ESXi also supports per-target CHAP authentication, which allows you to configure different credentials for each target to achieve greater level of security.

Selecting CHAP Authentication Method

ESXi supports unidirectional CHAP for all types of iSCSI and iSER initiators, and bidirectional CHAP for software and dependent hardware iSCSI, and for iSER.

Before configuring CHAP, check whether CHAP is activated at the iSCSI storage system. Also, obtain information about the CHAP authentication method the system supports. If CHAP is activated, configure it for your initiators, making sure that the CHAP authentication credentials match the credentials on the iSCSI storage.

ESXi supports the following CHAP authentication methods:
Unidirectional CHAP
In unidirectional CHAP authentication, the target authenticates the initiator, but the initiator does not authenticate the target.
Bidirectional CHAP
The bidirectional CHAP authentication adds an extra level of security. With this method, the initiator can also authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters, and for iSER adapters.

For software and dependent hardware iSCSI adapters, and for iSER adapters, you can set unidirectional CHAP and bidirectional CHAP for each adapter or at the target level. Independent hardware iSCSI supports CHAP only at the adapter level.

When you set the CHAP parameters, specify a security level for CHAP.

Note: When you specify the CHAP security level, how the storage array responds depends on the array’s CHAP implementation and is vendor-specific. For information on CHAP authentication behavior in different initiator and target configurations, consult the array documentation.
Table 1. CHAP Security Level
CHAP Security Level Description Supported Storage Adapters
None The host does not use CHAP authentication. If authentication is activated, use this option to deactivate it.

Independent hardware iSCSI

Software iSCSI

Dependent hardware iSCSI

iSER

Use unidirectional CHAP if required by target The host prefers a non-CHAP connection, but can use a CHAP connection if required by the target.

Software iSCSI

Dependent hardware iSCSI

iSER

Use unidirectional CHAP unless prohibited by target The host prefers CHAP, but can use non-CHAP connections if the target does not support CHAP.

Independent hardware iSCSI

Software iSCSI

Dependent hardware iSCSI

iSER

Use unidirectional CHAP The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails.

Independent hardware iSCSI

Software iSCSI

Dependent hardware iSCSI

iSER

Use bidirectional CHAP The host and the target support bidirectional CHAP.

Software iSCSI

Dependent hardware iSCSI

iSER

Set Up CHAP for iSCSI or iSER Storage Adapter

When you set up CHAP name and secret at the iSCSI/iSER adapter level, all targets receive the same parameters from the adapter. By default, all discovery addresses or static targets inherit CHAP parameters that you set up at the adapter level.

The CHAP name cannot exceed 511 alphanumeric characters and the CHAP secret cannot exceed 255 alphanumeric characters. Some adapters, for example the QLogic adapter, might have lower limits, 255 for the CHAP name and 100 for the CHAP secret.

Prerequisites

  • Before setting up CHAP parameters for software or dependent hardware iSCSI, determine whether to configure unidirectional or bidirectional CHAP. Independent hardware iSCSI adapters do not support bidirectional CHAP.
  • Verify CHAP parameters configured on the storage side. Parameters that you configure must match the ones on the storage side.
  • Required privilege: Host.Configuration.Storage Partition Configuration

Procedure

  1. Navigate to the iSCSI or iSER storage adapter.
    1. In the vSphere Client, navigate to the ESXi host.
    2. Click the Configure tab.
    3. Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
  2. Click the Properties tab and click Edit in the Authentication panel.
  3. Specify authentication method.
    • None
    • Use unidirectional CHAP if required by target
    • Use unidirectional CHAP unless prohibited by target
    • Use unidirectional CHAP
    • Use bidirectional CHAP. To configure bidirectional CHAP, you must select this option.
  4. Specify the outgoing CHAP name.

    Make sure that the name you specify matches the name configured on the storage side.

    • To set the CHAP name to the iSCSI adapter name, select Use initiator name.
    • To set the CHAP name to anything other than the iSCSI initiator name, deselect Use initiator name and enter a name in the Name text box.
  5. Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret that you enter on the storage side.
  6. If configuring bidirectional CHAP, specify incoming CHAP credentials.
    Make sure to use different secrets for the outgoing and incoming CHAP.
  7. Click OK.
  8. Rescan the iSCSI adapter.

Results

If you change the CHAP parameters, they are used for new iSCSI sessions. For existing sessions, new settings are not used until you log out and log in again.

What to do next

For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:

Set Up CHAP for Target

If you use software and dependent hardware iSCSI adapters, or an iSER storage adapter, you can configure different CHAP credentials for each discovery address or static target.

The CHAP name cannot exceed 511 and the CHAP secret 255 alphanumeric characters.

Prerequisites

  • Before setting up CHAP parameters, determine whether to configure unidirectional or bidirectional CHAP.
  • Verify CHAP parameters configured on the storage side. Parameters that you configure must match the ones on the storage side.
  • Required privilege: Host.Configuration.Storage Partition Configuration

Procedure

  1. Navigate to the iSCSI or iSER storage adapter.
    1. In the vSphere Client, navigate to the ESXi host.
    2. Click the Configure tab.
    3. Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
  2. Click either Dynamic Discovery or Static Discovery.
  3. From the list of available targets, select a target to configure and click Authentication.
  4. Deselect Inherit settings from parent and specify authentication method.
    • None
    • Use unidirectional CHAP if required by target
    • Use unidirectional CHAP unless prohibited by target
    • Use unidirectional CHAP
    • Use bidirectional CHAP. To configure bidirectional CHAP, you must select this option.
  5. Specify the outgoing CHAP name.

    Make sure that the name you specify matches the name configured on the storage side.

    • To set the CHAP name to the iSCSI adapter name, select Use initiator name.
    • To set the CHAP name to anything other than the iSCSI initiator name, deselect Use initiator name and enter a name in the Name text box.
  6. Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret that you enter on the storage side.
  7. If configuring bidirectional CHAP, specify incoming CHAP credentials.
    Make sure to use different secrets for the outgoing and incoming CHAP.
  8. Click OK.
  9. Rescan the storage adapter.

Results

If you change the CHAP parameters, they are used for new iSCSI sessions. For existing sessions, new settings are not used until you log out and login again.