You can use a third-party RADIUS server to simplify CHAP secret management. A RADIUS server is a centralized authentication service. While you must still specify the initiator's CHAP secret, you are no longer required to specify each target's CHAP secret on each initiator when using bidirectional authentication with a RADIUS server.
For more information, see:
This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.
Become superuser.
Configure the initiator node with the IP address and port (the default port is 1812) of the RADIUS server.
For example:
initiator# iscsiadm modify initiator-node --radius-server 10.0.0.72:1812 |
Configure the initiator node with the shared secret of the RADIUS server.
initiator# iscsiadm modify initiator-node --radius-shared-secret |
The Solaris iSCSI implementation requires that the RADIUS server is configured with a shared secret before the Solaris iSCSI software can interact with the RADIUS server.
Enable the RADIUS server.
initiator# iscsiadm modify initiator-node --radius-access enable |
This section describes the error messages that are related to a Solaris iSCSI and RADIUS server configuration, along with potential solutions for recovery.
empty RADIUS shared secret
Cause:The RADIUS server is enabled on the initiator, but the RADIUS shared secret is not set.
Solution:Configure the initiator with the RADIUS shared secret. For more information, see How to Configure RADIUS for Your iSCSI Configuration.
WARNING: RADIUS packet authentication failed
Cause:The initiator failed to authenticate the RADIUS data packet. This error can occur if the shared secret configured on the initiator node is different from the shared secret on the RADIUS server.
Reconfigure the initiator with the correct RADIUS shared secret. For more information, see How to Configure RADIUS for Your iSCSI Configuration.