test

System Administration Guide: Devices and File Systems

Using a Third-Party RADIUS Server to Simplify CHAP Management in Your iSCSI Configuration

You can use a third-party RADIUS server to simplify CHAP secret management. A RADIUS server is a centralized authentication service. While you must still specify the initiator's CHAP secret, you are no longer required to specify each target's CHAP secret on each initiator when using bidirectional authentication with a RADIUS server.

For more information, see:

ProcedureHow to Configure RADIUS for Your iSCSI Configuration

This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.

  1. Become superuser.

  2. Configure the initiator node with the IP address and port (the default port is 1812) of the RADIUS server.

    For example:


    initiator# iscsiadm modify initiator-node --radius-server 10.0.0.72:1812

  3. Configure the initiator node with the shared secret of the RADIUS server.


    initiator# iscsiadm modify initiator-node --radius-shared-secret
    Note –

    The Solaris iSCSI implementation requires that the RADIUS server is configured with a shared secret before the Solaris iSCSI software can interact with the RADIUS server.

  4. Enable the RADIUS server.


    initiator# iscsiadm modify initiator-node --radius-access enable

Solaris iSCSI and RADIUS Server Error Messages

This section describes the error messages that are related to a Solaris iSCSI and RADIUS server configuration, along with potential solutions for recovery.


empty RADIUS shared secret

Cause:

The RADIUS server is enabled on the initiator, but the RADIUS shared secret is not set.

Solution:

Configure the initiator with the RADIUS shared secret. For more information, see How to Configure RADIUS for Your iSCSI Configuration.


WARNING: RADIUS packet authentication failed

Cause:

The initiator failed to authenticate the RADIUS data packet. This error can occur if the shared secret configured on the initiator node is different from the shared secret on the RADIUS server.

Reconfigure the initiator with the correct RADIUS shared secret. For more information, see How to Configure RADIUS for Your iSCSI Configuration.