Enable iSCSI Authentication with ESXCLI

You can use the esxcli iscsi adapter auth commands to enable iSCSI authentication.

For information on iSCSI CHAP, see Setting iSCSI CHAP.

Procedure

(Optional) Set the authentication information for CHAP.

esxcli <conn_options> iscsi adapter auth chap set --direction=uni --chap_username=<name> --chap_password=<pwd> --level=[prohibited, discouraged, preferred, required] --secret=<string> --adapter=<adapter_name>

You can set per-target CHAP for static targets, per-adapter CHAP, or apply the command to the discovery address.

Option	Command
Per-adapter CHAP	esxcli iscsi adapter auth chap set
Per-discovery CHAP	esxcli iscsi adapter discovery sendtarget auth chap set
Per-target CHAP	esxcli iscsi adapter target portal auth chap set

The following example sets adapter-level CHAP.

esxcli <conn_options> iscsi adapter auth chap set --direction=uni --chap_username=User1 --chap_password=MySpecialPwd --level=preferred --secret=uni_secret --adapter=vmhba33

(Optional) Set the authentication information for mutual CHAP by running esxcli iscsi adapter auth chap set again with the -d option set to mutual option and a different authentication user name and secret.

esxcli <conn_options> iscsi adapter auth chap set --direction=mutual --mchap_username=<m_name> --mchap_password=<m_pwd> --level=[prohibited, required] --secret=<string> --adapter=<adapter_name>

For <level>, specify prohibited or required.

Option	Description
`prohibited`	The host does not use CHAP authentication. If authentication is enabled, specify `chapProhibited` to disable it.
`required`	The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails. You can set this value for mutual CHAP only if CHAP is set to `chapRequired`.

For direction, specify mutual.

Important

You are responsible for making sure that CHAP is set before you set mutual CHAP, and for using compatible levels for CHAP and mutual CHAP. Use a different secret in CHAP and mutual CHAP.