Connecting a CHAP-Enabled Volume on

a Dell™ EqualLogic™ PS Series Array

A Dell Technical White Paper

Gong Wang

Next Generation Computing Solutions

Connecting an iSCSI Volume with CHAP Authentication

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL
ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR
IMPLIED WARRANTIES OF ANY KIND.

© 2011 Dell Inc. All rights reserved. Reproduction of this material, in any manner whatsoever, without
the express written permission of Dell Inc, is strictly forbidden. For more information, contact Dell Inc.

Dell, the DELL logo, the DELL badge, PowerVault, and Dell EqualLogic, are trademarks of Dell Inc.
Microsoft, Windows, and Windows Server are either trademarks or registered trademarks of Microsoft
Corporation in the United States and/or other countries. Other trademarks and trade names may be
used in this document to refer to either the entities claiming the marks and names or their products.
Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.

July 2011

ii
Connecting an iSCSI Volume with CHAP Authentication

Contents
Introduction ................................................................................................................ 1
One-way CHAP Authentication .......................................................................................... 1
Mutual CHAP Authentication ............................................................................................ 6

Figures
Figure 1. Connect iSCSI Volumes with CHAP Authentication ................................................... 2
Figure 2. Create a Local CHAP Account ............................................................................ 3
Figure 3. Create an Access Control Record using CHAP authentication ...................................... 4
Figure 4. Enter the CHAP authentication in iSCSI Initiator ..................................................... 5
Figure 5. Configure iSCSI Initiator’s Mutual CHAP Secret ....................................................... 6
Figure 6. Configure the Target Authentication ................................................................... 7

iii
Introduction1
Using Microsoft® iSCSI Initiator, a user can connect a host computer to an external iSCSI-based storage
array through an Ethernet network adapter. Microsoft iSCSI Initiator is installed natively on Microsoft
Windows Server® 2008 R2, Windows® 7, Windows Server 2008, and Windows Vista. No additional
installation steps are required on these Windows operating systems. In general, Microsoft iSCSI Initiator
interacts with its target portals (also called discovery portals), which are Dell™ EqualLogic™ PS series
storage arrays in this paper. The user manually configures the initiator’s target portals by specifying
the IP address and port of the PS array to discover targets or volumes on that portal. Given a list of
target portals, an iSCSI Initiator can discover their volumes and report them to the user. The user can
then connect the host computer to the desired volumes.

Microsoft iSCSI Initiator supports Challenge-Handshake Authentication Protocol (CHAP) as one of its
security mechanisms. CHAP is a protocol that is used to authenticate the peer of a connection and it
can protect the volumes on the storage array from being accessed without authorization. CHAP
requires that both the initiator and its target know the secret (the password). Microsoft iSCSI Initiator
supports one-way or mutual CHAP. Each target can have its own unique CHAP secret for one-way CHAP
authentication, and the initiator has a single secret for mutual CHAP with all targets. When CHAP is
enabled on the volumes on a storage array, the initiator needs to specify the CHAP credentials for
connecting to these volumes. The initiator also needs to specify the CHAP credentials for discovering
these volumes if the storage array is configured as preventing the unauthorized hosts from discovering
the protected volumes.

The paper describes how to configure a one-way CHAP authentication-enabled iSCSI volume on a Dell
EqualLogic PS Series Array and how to use Microsoft iSCSI Initiator to connect to this volume in
Windows Server 2008 R2 (including SP1). This paper also describes how to set up a mutual CHAP
authentication between a Dell EqualLogic PS Series Array and Windows Server 2008 R2.

One-way CHAP Authentication

Figure 1 illustrates the configuration of two iSCSI initiators being connected to multiple targets with
CHAP authentication enabled. To create a CHAP-enabled volume, create a CHAP user account locally
on an EqualLogic PS Group, and then apply an Access Control List (ACL) referencing the CHAP username
to the desired volume. To access the CHAP-enabled volume, the iSCSI initiator needs to use the same
CHAP credentials. In addition, the CHAP-enabled volumes can be restricted to the iSCSI initiators that
use the same CHAP credentials. Without using the proper CHAP credentials, the initiators cannot
discover these volumes.

1
We’d like to acknowledge Doug Washabaugh and Jason Shamberger from Dell EqualLogic Software
Engineering group, Robert Segurson and Richard Karcich from Dell PowerVault™ Storage Engineering
group for their help on this paper.
Connecting an iSCSI Volume with CHAP Authentication

Figure 1. Connect iSCSI Volumes with CHAP Authentication

Notes:
• Microsoft iSCSI Initiator uses only one CHAP credential when configuring a target portal (PS
group) for discovery. If a PS administrator enables the iSCSI Discovery Filter for the PS group
(as described in Step 3 below), then all the volumes on that PS group must use the same CHAP
credentials in order to be discovered and connected by the same initiator. (If the Host
Integration Toolkit (HIT) is being used to create application consistent Smart Copies, its
management traffic is sent via the Volume Shadow Copy Service (VSS)-control iSCSI target.
Access to this VSS-control target must also use the same CHAP credentials that the rest of the
iSCSI volumes are using.) The initiator must be able to discover the volume first before it can
connect to the volume. See the two volumes in PS Group 2 shown in Figure 1.
• If a PS administrator does not enable the iSCSI Discovery Filter, an initiator can connect to
volumes with different CHAP credentials. In this case, a single initiator can connect to both
volumes in PS1 as long as the initiator provides the proper CHAP credentials when connecting
each protected volume.
• Initiator A is currently connected to PS2-Volume2 using the CHAPUser3 credentials. Using the
same credentials, Initiator B can also connect to PS2-Volume2 at the same time if this volume
is configured to allow simultaneous connections from initiators with different iSCSI Qualified
Names (IQNs). PS2-Volume1 is configured with this setting. To prevent possible data corruption,
connecting multiple initiators to the same volume requires the initiators run some high-level
coordination, such as cluster file system.

The following section walks through the steps required to perform the configuration described above.

2
Connecting an iSCSI Volume with CHAP Authentication

1. Follow these instructions provided by the Dell EqualLogic Online Help to create a local CHAP
account. One way to do this is through the GUI. Log into the EqualLogic Group Manager, and
create a local CHAP account for the iSCSI Initiator authentication (Figure 2).
Note: Microsoft iSCSI Initiator requires the CHAP password/secret be set using at least
12 characters (alphanumeric and special characters). PS group manager does not
enforce this requirement.

Figure 2. Create a Local CHAP Account

2. Add the CHAP authentication requirement for the desired volume(s). Follow these instructions
to create an ACL with CHAP authorization for this volume. Use the same CHAP username as
that specified in the previous step. (Figure 3)
Note: To increase security, CHAP credentials can be combined with the initiator name
and IP address in the ACL.

3
Connecting an iSCSI Volume with CHAP Authentication

Figure 3. Create an Access Control Record using CHAP authentication

3. (Optional) Enable iSCSI Discovery Filter by checking Prevent Unauthorized hosts from
discovering targets on the iSCSI tab in the Group Configuration panel. This enablement
restricts discovery of the volumes to initiators that have the same CHAP credentials.
Notes:
• Without enabling iSCSI Discovery Filter, by default, an initiator can discover all the
targets including the ones protected by CHAP, even if the initiators do not have the
access credentials. This results in a larger list of discovered targets, including targets
the initiator is not authorized to connect to.
• When iSCSI Discovery Filter is enabled on a PS group, all the CHAP-enabled volumes in
that PS group designated for a single initiator must use the same CHAP credentials.
4. Use Microsoft iSCSI Initiator in Windows Server 2008 R2 to connect to the CHAP-enabled volume
by taking the following steps:
a. Open iSCSI Initiator by clicking Start, All Programs, Administrative Tools and iSCSI
Initiator.
b. At the iSCSI Initiator Properties window, open the Discovery panel, and then click
Discovery Portal. (Note: If iSCSI Discovery Filter is not enabled on the target PS group
as described in Step 3, skip this step and jump to Step f.)
c. At the Discover Target Portal window, enter the IP address or DNS name of your
EqualLogic PS group (change the default port number if needed), and then click
Advanced.
d. At the Advanced Settings window, select Microsoft iSCSI Initiator for local adapter, and
select the IP address for iSCSI/SAN network. Then check Enable CHAP log on, enter the

4
Connecting an iSCSI Volume with CHAP Authentication

local CHAP account user name from step 1 in the Name field, and the password in the
Target secret field. Uncheck Perform mutual authentication unless additional
configuration steps are taken, as described in the next section on mutual
authentication. Click OK to close the Advance Setting windows.
Notes:
• By default, the IQN for the local system is displayed in the Name field; replace
it with the username of the CHAP account being used on the desired volume(s).
• Both the username and password for the CHAP account are case-sensitive.

Figure 4. Enter the CHAP authentication in iSCSI Initiator

e. Click OK to close the Discover Target Portal window.

f. Go to the Target panel at the iSCSI Initiator Properties window. The CHAP enabled
volume(s) is listed in the Discovered targets; click Connect. (If Step b-e are skipped,
enter the IP address or DNS name of the EqualLogic PS array group, click Quick
Connect, then select the volume and click Connect.)
g. At the Connect to Target window, click Advanced. Take the same settings as in Step 3d
to go through the Advance Settings window. The CHAP-enabled volume is connected
now. Click OK to close the iSCSI Initiator Properties window.

5
Connecting an iSCSI Volume with CHAP Authentication

Mutual CHAP Authentication

Microsoft iSCSI Initiator supports using both the EqualLogic PS group’s local CHAP account and target
authentication account for the mutual authentication. Take the following steps to set up the mutual
authentication.

1. Set the initiator CHAP secret for use with mutual CHAP with the following steps:
a. Open the Microsoft iSCSI Initiator.
b. At the iSCSI Initiator Properties window, open the Configuration panel, and click CHAP.
c. At the iSCSI Initiator Mutual CHAP Secret pop-up window, enter the CHAP
secret/password you plan to use.
Note: Microsoft iSCSI Initiator requires the CHAP password/secret use at least
12 characters (96 bits).

Figure 5. Configure iSCSI Initiator’s Mutual CHAP Secret

2. Modify the target authentication account on the EqualLogic PS array. Open the EqualLogic
Group Manager, and follow these instructions to modify the password for iSCSI Target
Authentication. Ensure it uses the same Mutual CHAP secret as used in the Microsoft iSCSI
Initiator.
Note: When connecting more than one PS group using mutual authentication, ensure
the target authentication accounts’ passwords are set to the same one as the initiator’s
password on all the PS groups.

6
Connecting an iSCSI Volume with CHAP Authentication

Figure 6. Configure the Target Authentication

3. Repeat the steps as illustrated in the previous section for one-way CHAP authentication with
one exception on Step 3d: check Perform mutual authentication this time.

The CHAP-Enabled volume is now connected with the mutual CHAP authentication.

Whether using mutual authentication or not, after a CHAP-enabled volume is connected, use the Disk
Management tool to continue its deployment and utilization in the Windows operating system.