Microsoft initiator chap secret restrictions, Linux version 3.6.3 chap restrictions, Atto macintosh chap restrictions – HP EVA Array iSCSI Connectivity Option User Manual

•

Minimum length of 1 character.

•

No restriction on the type of characters that can be entered.

Microsoft Initiator CHAP secret restrictions

•

Maximum length of 16 characters.

•

Minimum length of 12 characters.

•

No restriction on the type of characters that can be entered.

•

When an initiator uses iSNS for target discovery, only normal session CHAP applies.

Linux version 3.6.3 CHAP restrictions

CHAP setup with Linux iSCSI Initiator version 3.6.3 is not supported with the mpx100/100b because the

Linux iSCSI driver omits CHAP security negotiations at login.

ATTO Macintosh Chap restrictions

The ATTO Macintosh iSCSI Initiator does not support CHAP at this time.

Recommended CHAP policies

•

The same CHAP secret should not be configured for authentication of multiple initiators or

multiple targets.

•

Any CHAP secret used for initiator authentication must not be configured for the authentication

of any target; and any CHAP secret used for target authentication must not be configured for

authentication of any initiator.

•

CHAP should be configured after the initial iSCSI Initiator/target login to validate initiator/target

connectivity. The first initiator/target login also creates a discovered iSCSI Initiator entry on the

mpx100/100b that will be used in the CHAP setup.

iSCSI session types

iSCSI defines two types of sessions:

•

Discovery—SCSI discovery allows an initiator to find the targets to which it has access.

•

Normal operational session—A normal operational session is unrestricted.

CHAP is enforced on both the discovery and normal operational session.

The mpx100/100b CHAP modes

The mpx100/100b supports two CHAP modes:

•

Single-direction—The target authenticates the identity of the initiator with the user-provided CHAP

secret. To enable single-direction CHAP, you need to enable CHAP for a specific initiator record

on the mpx100/100b and input a corresponding CHAP secret from the iSCSI host.

•

Bidirectional—The initiator and target authenticate identity of each other with the user-provided

CHAP secrets. To enable bidirectional CHAP for a discovery session, you need to provide a

CHAP secret for the initiator and for the iSCSI port for which you are performing discovery. To

enable bidirectional CHAP for a normal session, you will need to provide a CHAP secret for the

initiator and for the iSCSI-presented target that you are trying to log in to.

Once CHAP is enabled, it is enforced for both the normal and discovery sessions. You only have the

choice of what type (single or bidirectional) of CHAP to perform:

•

Single–direction CHAP during discovery and during normal session.

•

Single–direction CHAP during discovery and bidirectional CHAP during normal session.

•

bidirectional CHAP during discovery and single–direction CHAP during normal session.

204

Setting up authentication