Go to main content

Managing SAN Devices and Multipathing in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018
 
 

Using a Third-Party RADIUS Server to Simplify CHAP Management in an iSCSI Configuration

You can use a third-party RADIUS (Remote Authentication Dial In User Service) server that acts as a centralized authentication service to simplify CHAP key secret management. With this method, the recommended practice is to use the default CHAP name for each initiator node. In the common case, when all initiators are using the default CHAP name, you do not have to create initiator contexts on the target. RADIUS can be independently configured on either the initiator or the target.

How to Configure a RADIUS Server for an iSCSI Initiator

This setup is useful only when the initiator is requesting bidirectional CHAP authentication.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Configure the initiator node with the IP address and the port of the RADIUS server.

    The default port is 1812.

    # iscsiadm modify initiator-node --radius-server ip-address:1812
  3. Configure the initiator node with the shared secret key of the RADIUS server so that iSCSI can interact with the server.
    # iscsiadm modify initiator-node --radius-shared-secret
    Enter secret:
    Re-enter secret
  4. Enable the use of the RADIUS server.
    # iscsiadm modify initiator-node --radius-access enable
  5. Set up CHAP bidirectional authentication.
    # iscsiadm modify initiator-node --authentication CHAP
    # iscsiadm modify target-param --bi-directional-authentication enable target-iqn
    # iscsiadm modify target-param --authentication CHAP target-iqn
  6. Configure the RADIUS server with the following information:
    • The identity of this node (for example, node IP address)

    • The shared secret key that the node uses to communicate with the RADIUS server

    • The CHAP name of a target (for example, iqn name of a target) and the secret key for each target that needs to be authenticated

    For more information about how to configure a RADUIS server on an iSCSI target, see How to Configure a RADIUS Server for an iSCSI Target in Managing Devices in Oracle Solaris 11.3.