In a secure environment, authentication for your iSCSI devices is not required because only trusted initiators can access the targets.
In a less secure environment, the target cannot determine if a connection request is from a given host. In this case, the target can authenticate an initiator by using the Challenge-Handshake Authentication Protocol (CHAP).
CHAP authentication uses the notion of challenge and response, which means that the target challenges the initiator to prove its identity. For the challenge and response method to work, the target must know the initiator's secret key, and the initiator must be set up to respond to a challenge. See your array vendor documentation for instructions on setting up the secret key on the array.
iSCSI supports unidirectional and bidirectional authentication as follows:
Unidirectional authentication enables the target to authenticate the identity of the initiator or the initiator to authenticate the identity of the target.
Bidirectional authentication adds a second level of security by adding authentication on both directions.
You can simplify CHAP secret key management by using a third-party RADIUS server, which acts as a centralized authentication service. When you use RADIUS, the RADIUS server stores the set of node names and matching CHAP secret keys. The system performing the authentication forwards the node name of the requester and the supplied secret of the requester to the RADIUS server. The RADIUS server confirms whether the secret key is the appropriate key to authenticate the given node name.
For more information about using a third-party RADIUS server, see Using a Third-Party RADIUS Server to Simplify CHAP Management in an iSCSI Configuration.