When you configure a LUN on Oracle ZFS Storage Appliance, you can export that volume over an iSCSI target. The iSCSI service lets iSCSI initiators access targets using the iSCSI protocol.
This service supports discovery, management, and configuration using the iSNS protocol. The iSCSI service supports both unidirectional (target authenticates initiator) and bidirectional (target and initiator authenticate each other) authentication using Challenge-Handshake Authentication Protocol (CHAP). Additionally, the service supports CHAP authentication data management in a Remote Authentication Dial-In User Service (RADIUS) database.
The system first performs authentication and then authorization, in two independent steps. If the local initiator has a CHAP name and a CHAP secret, the system performs authentication. If the local initiator does not have CHAP properties, the system does not perform any authentication, and therefore all initiators are eligible for authorization.
The iSCSI service lets you specify a global list of initiators that you can use within the initiator groups. When using iSCSI and CHAP authentication, RADIUS can be used as the iSCSI protocol that defers all CHAP authentications to the selected RADIUS server.
RADIUS is a system for using a centralized server to perform CHAP authentication on behalf of the storage nodes. When you use iSCSI and CHAP authentication, you can select RADIUS for the iSCSI protocol, which applies both iSCSI and the iSCSI Extensions for RDMA (iSER), and sends all CHAP authentications to the selected RADIUS server.
To allow Oracle ZFS Storage Appliance to perform CHAP authentication using RADIUS, the following information must match:
The appliance must specify the address of the RADIUS server and a secret to use when communicating with this RADIUS server.
The RADIUS server must have an entry (for example, in its clients file) that gives the address of the appliance and specifies the same secret as above.
The RADIUS server must have an entry (for example, in its users file) that supplies the CHAP name and matching CHAP secret for each initiator.
If the initiator uses its IQN name as its CHAP name (this is the recommended configuration) and the appliance does not need a separate Initiator entry for each Initiator box, the RADIUS server can perform all of the authentication steps.
If the initiator uses a separate CHAP name, the appliance must have an Initiator entry for the initiator that specifies the mapping from an IQN name to the CHAP name. This Initiator entry does not need to specify the CHAP secret for the initiator.