Enabling iSCSI Authentication

You can enable iSCSI authentication with ESXCLI or with vicfg-iscsi.

Enabling iSCSI Authentication with ESXCLI

The esxcli iscsi adapter auth commands enable iSCSI authentication. Mutual authentication is supported for software iSCSI and dependent hardware iSCSI, but not for independent hardware iSCSI (see Setting iSCSI CHAP).

1	(Optional) Set the authentication information for CHAP.

esxcli <conn_options> iscsi adapter auth chap set --direction=uni --chap_username=<name> --chap_password=<pwd> --level=[prohibited, discouraged, preferred, required] --secret=<string> --adapter=<adapter_name>

You can set per-target CHAP for static targets, per-adapter CHAP, or apply the command to the discovery address.

■	per-adapter CHAP: esxcli iscsi adapter auth chap set

■	per-discovery CHAP: esxcli iscsi adapter discovery sendtarget auth chap set

■	per-target CHAP: esxcli iscsi adapter target portal auth chap set

For example:

esxcli <conn_options> iscsi adapter auth chap set --direction=uni --chap_username=User1 --chap_password=MySpecialPwd --level=preferred --secret=uni_secret --adapter=vmhba33

2	(Optional) Set the authentication information for mutual CHAP by running esxcli iscsi adapter auth chap set again with the -d option set to mutual option and a different authentication user name and secret.

esxcli <conn_options> iscsi adapter auth chap set --direction=mutual --mchap_username=<m_name> --mchap_password=<m_pwd> --level=[prohibited, required] --secret=<string> --adapter=<adapter_name>

For <level>, specify prohibited or required.

■	prohibited – The host does not use CHAP authentication. If authentication is enabled, specify chapProhibited to disable it.

■	required – The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails. You can set this value for mutual CHAP only if CHAP is set to chapRequired.

For direction, specify mutual.

Important You are responsible for making sure that CHAP is set before you set mutual CHAP, and for using compatible levels for CHAP and mutual CHAP. Use a different secret in CHAP and mutual CHAP.

To enable mutual authentication

1	Enable authentication.

esxcli <conn_options> iscsi adapter auth chap set --direction=uni --chap_username=<name> --chap_password=<pw> --level=[prohibited, discouraged, preferred, required] --secret=<string> --adapter=<adapter_name>

The specified chap_username and secret must be supported on the storage side.

2	List possible VMkernel NICs to bind.

esxcli <conn_options> iscsi logicalnetworkportal list

3	Enable mutual authentication.

esxcli <conn_options> iscsi adapter auth chap set --direction=mutual --mchap_username=<m_name> --mchap_password=<m_pwd> --level=[prohibited, required] --secret=<string> --adapter=<adapter_name>

The specified mchap_username and secret must be supported on the storage side.

Make sure the following requirements are met.

■	CHAP authentication is already set up when you start setting up mutual CHAP.

■	CHAP and mutual CHAP use different user names and passwords. The second user name and password are supported for mutual authentication on the storage side.

■	CHAP and mutual CHAP use compatible CHAP levels.

4	After setup is complete, perform rediscovery and rescan all storage devices. For example:

esxcli <conn_options> iscsi adapter discovery rediscover

esxcli <conn_options> storage core adapter rescan --adapter=vmhba36

Enabling iSCSI Authentication with vicfg-iscsi

The vicfg-iscsi -A -c options enable iSCSI authentication. Mutual authentication is supported for software iSCSI and dependent hardware iSCSI, but not for independent hardware iSCSI. See Setting iSCSI CHAP.

To enable mutual authentication

1	Enable authentication on the ESXi host.

vicfg-iscsi <conn_options> -A -c <level> -m <auth_method> -u <auth_u_name> -w <chap_password>

[-i <stor_ip_addr|stor_hostname> [:<portnum>] [-n <iscsi_name]] <adapter_name>

The specified user name and password must be supported on the storage side.

2	Enable mutual authentication on the ESXi host.

vicfg-iscsi <conn_options> -A -c <level> -m <auth_method> -b -u <ma_username>

-w <ma_password> [-i <stor_ip_addr|stor_hostname> [:<portnum>]

[-n <iscsi_name]] <adapter_name>

Make sure the following requirements are met.

■	CHAP authentication is already set up when you start setting up mutual CHAP.

■	CHAP and mutual CHAP use different user names and passwords. The second user name and password are supported for mutual authentication on the storage side.

■	CHAP and mutual CHAP use compatible CHAP levels.

3	After setup is complete, perform rediscovery and rescan all storage devices.