You can use a third-party RADIUS server that acts as a centralized authentication service to simplify CHAP key secret management. With this method, the recommended practice is to use the default CHAP name for each initiator node. In the common case when all initiators are using the default CHAP name, you do not have to create initiator contexts on the target.
You can use a third-party RADIUS server that acts as a centralized authentication service to simplify CHAP key secret management. With this method, the recommended practice is to use the default CHAP name for each initiator node. In the common case when all initiators are using the default CHAP name, you do not have to create initiator contexts on the target.
This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.
The default port is 1812. This configuration is completed once for all iSCSI targets on the target system.
initiator# itadm modify-defaults -r RADIUS-server-IP-address Enter RADIUS secret: ************ Re-enter secret: ************
initiator# itadm modify-defaults -d Enter RADIUS secret: ************ Re-enter secret: ************
This configuration can be performed for an individual target or as a default for all targets.
initiator# itadm modify-target -a radius target-iqn
The identity of the target node (for example, its IP address)
The shared secret key that the target node uses to communicate with the RADIUS server
The initiator's CHAP name (for example, it's iqn name) and the secret key for each initiator that needs to be authenticated
You can use a third-party RADIUS server that acts as a centralized authentication service to simplify CHAP secret key management. This setup is only useful when the initiator is requesting bidirectional CHAP authentication. You must still specify the initiator's CHAP secret key, but you are not required to specify the CHAP secret key for each target on an initiator when using bidirectional authentication with a RADIUS server. RADIUS can be independently configured on either the initiator or the target. The initiator and the target do not have to use RADIUS.
The default port is 1812.
# iscsiadm modify initiator-node --radius-server ip-address:1812
The RADIUS server must be configured with a shared secret for iSCSI to interact with the server.
# iscsiadm modify initiator-node --radius-shared-secret Enter secret: Re-enter secret
# iscsiadm modify initiator-node --radius-access enable
# iscsiadm modify initiator-node --authentication CHAP # iscsiadm modify target-param --bi-directional-authentication enable target-iqn # iscsiadm modify target-param --authentication CHAP target-iqn
The identity of this node (for example, its IP address)
The shared secret key that this node uses to communicate with the RADIUS server
The target's CHAP name (for example, its iqn name) and the secret key for each target that needs to be authenticated
This section describes the error messages that are related to an Oracle Solaris iSCSI and RADIUS server configuration. Potential solutions for recovery are also provided.
empty RADIUS shared secret
Cause: The RADIUS server is enabled on the initiator, but the RADIUS shared secret key is not set.
Solution: Configure the initiator with the RADIUS shared secret key. For more information, see How to Configure a RADIUS Server for Your iSCSI Target.
WARNING: RADIUS packet authentication failed
Cause: The initiator failed to authenticate the RADIUS data packet. This error can occur if the shared secret key that is configured on the initiator node is different from the shared secret key on the RADIUS server.
Solution: Reconfigure the initiator with the correct RADIUS shared secret. For more information, see How to Configure a RADIUS Server for Your iSCSI Target.