Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

echelon2

2 Posts

1501

January 13th, 2015 13:00

iSCSI chap authentication does not work on EMC VNXe array

I have a new EMC VNXe array.  I have configured an iSCSI server, several volumes and added several VMware Vsphere/ESXi hosts (ver 5.x) .  I have also added one linux host.   I have two dedicated IP subnets for SAN traffic.  When I add a vmware host in the VNXe interface, it automatically detects the client host iscsi initiator IQN.    Assume the VNXe has IP's of 192.168.100.10 and 192.168.101.10 configured for the iSCSI server.   Clients use 192.168.100.10 as a dynamic (send)  target IP and will detect 192.168.100.10 and 192.168.101.11 as static targets.

I have no problems accessing volumes from the VNXe on VMware or Linux clients IF I don't use iSCSI CHAP authentication.    

I have tried enabling CHAP authentication.     On the vmware client  I have tried configuring "Use CHAP" or "Use CHAP unless prohibited by target."    

On the VNXe, for each client host definition I have set a CHAP password that matches the one defined on the client.    Under the iSCSI server settings I have tried both enabling and disabling "require CHAP Authentication."       In any case, if CHAP is required  by client or server or both, login fails.    Although it looks like discovery of static targets may still work from vmware clients.    On both linux and vsphere clients it looks like you can configure CHAP discovery separately from CHAP authentication once targets are discovered.  

I do not need to use mutual/bi-directional  authentication  

The CHAP passwords are 13-15 characters, no spaces.     (Some OS's apparently only support 12-16 characters.)

With out CHAP, it would seem relatively easy for a malicious user with some network access to gain access to , or even delete, data on the VNXe.    

I have tried packet capturing (tcpdump, wireshark).  It does not seem to show  the password ever being sent.   (I believe this would be in plain text)

Maybe I am have just fundamentally misunderstood chap-  since I have had problems getting it to work with a mix of SAN target and client solutions.

I appreciate any advise.

No Responses!

View More

View All

No Events found!

Top