You can use a third-party RADIUS (Remote Authentication Dial In User Service) server that acts as a centralized authentication service to simplify CHAP key secret management. With this method, the recommended practice is to use the default CHAP name for each initiator node. In the common case, when all initiators are using the default CHAP name, you do not have to create initiator contexts on the target. RADIUS can be independently configured on either the initiator or the target.
This setup is useful only when the initiator is requesting bidirectional CHAP authentication.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
The default port is 1812.
# iscsiadm modify initiator-node --radius-server ip-address:1812
# iscsiadm modify initiator-node --radius-shared-secret Enter secret: Re-enter secret
# iscsiadm modify initiator-node --radius-access enable
# iscsiadm modify initiator-node --authentication CHAP # iscsiadm modify target-param --bi-directional-authentication enable target-iqn # iscsiadm modify target-param --authentication CHAP target-iqn
The identity of this node (for example, node IP address)
The shared secret key that the node uses to communicate with the RADIUS server
The CHAP name of a target (for example, iqn name of a target) and the secret key for each target that needs to be authenticated
For more information about how to configure a RADUIS server on an iSCSI target, see How to Configure a RADIUS Server for an iSCSI Target in Managing Devices in Oracle Solaris 11.3.