PS Series Array

Using CHAP to Restrict Access to Volumes

Copyright 2004 EqualLogic, Inc.

July 2004

EqualLogic is a registered trademark and PS Series is a trademark of EqualLogic, Inc.

All trademarks and registered trademarks mentioned herein are the property of their respective owners.

Possession, use, or copying of the documentation or the software described in this publication is authorized
only under the license agreement specified herein.

EqualLogic, Inc. will not be held liable for technical or editorial errors or omissions contained herein. The
information in this document is subject to change.

ii EqualLogic Confidential
 Table of Contents
Restricting Host Access to Volumes and Snapshots ..............................................................1
Understanding CHAP Authentication ....................................................................................1
Understanding Access Control Records ................................................................................2
How Initiator Authentication Works ......................................................................................4
How Target Authentication Works ........................................................................................4
Configuring Initiator Authentication .....................................................................................5
Configuring Local CHAP Accounts .............................................................................................. 5
Specifying an External RADIUS Server ....................................................................................... 7
Creating an Access Control Record That Uses CHAP .................................................................. 8
Configuring Target Authentication ......................................................................................10
Logging in to Volumes ........................................................................................................11
More Information .................................................................................................................11
Customer Support ................................................................................................................11

EqualLogic Confidential iii

 Restricting Host Access to Volumes and Snapshots
This document describes how to use Challenge Handshake Authentication Protocol (CHAP)
initiator authentication and access control records to control which hosts (iSCSI initiators) can
access a volume or snapshot (iSCSI target). It also describes how to use CHAP target
authentication. Together, target and initiator authentication provide mutual authentication between
targets and initiators.

This authentication process not only adds another level of security but also prevents multiple hosts
from inadvertently and simultaneously accessing the same volume.

CHAP is a network login protocol that uses a challenge-response mechanism. CHAP can facilitate
volume access control management because it restricts target access through user names and
passwords, instead of IP addresses or iSCSI initiator names, which are hardware dependent. CHAP
does not depend on specific hardware; therefore, it can be useful in cluster and multi-path I/O
configurations and can also simplify servicing.

Understanding CHAP Authentication

The iSCSI protocol supports two levels of CHAP authentication:

Initiator authentication. The iSCSI initiator is authenticated by the iSCSI target. When an
initiator tries to connect to a target (manually or through discovery), it provides a user name
and password to the target. Some implementations refer to the password as a secret. The
user name does not necessarily refer to a person and may be called the CHAP account name.

The target checks whether the supplied user name matches an entry in an access control record
for the volume. If a match exists, a check is performed to determine if the user name and
password combination matches an entry in a CHAP database. If they match, based on the
hashing algorithm, the initiator can connect to the target. See Understanding Access Control
Records for more information about how access control records are used.

You can implement a CHAP database in one of two ways:

Local CHAP accounts configured in the PS Series group. Local CHAP is not dependent
on any external system and is easy to deploy if you have few accounts to maintain. See
Configuring Local CHAP Accounts for more information.

External RADIUS server whose IP address is known to the group. An external RADIUS
server is beneficial if you are managing a large number of CHAP user names and
passwords. However, the availability of the server will affect host access. You can
configure the group to use multiple RADIUS servers for high availability. See Specifying
an External RADIUS Server for more information.

Target authentication. The iSCSI target is authenticated by the iSCSI initiator. When an
initiator tries to connect to a target, the target provides a user name and password to the
initiator. The initiator compares the supplied user name and password to information it holds.
If they match, based on the hashing algorithm, the initiator can connect to the target.

EqualLogic Confidential 1
 Target authentication on the PS Series group side is always enabled; although, you can modify
the password and account name as needed. The iSCSI initiator determines whether the target
authentication is enforced. See Configuring Target Authentication for more information.

Initiator authentication can be implemented without target authentication; however, target

authentication can be implemented only if initiator authentication is implemented. When used
together, initiator and target authentication provide mutual authentication; that is, the initiator and
the target authenticate each other.

Understanding Access Control Records

Access control records are used to restrict access to volumes and snapshots. A volume and its
snapshots share a list of access control records, each of which you can configure to apply to the
volume, its snapshots, or both.

An initiator must meet all the conditions specified in any one access control record in order to gain
access to the volume (or snapshot). Conditions can include one or more of the following:

IP address. The initiators IP address must match the address in the access control record.
Initiator name. The initiators name must match the name in the access control record.
CHAP user name. The initiator must supply a CHAP user name and password when
connecting to the volume, and the supplied user name must match the user name in the access
control record. Also, the supplied user name and password must match an entry in a CHAP
database.

You can create an access control record for a volume when you create it. You can create multiple
access control records after the volume is created. If there are no access control records for a
volume, no access to the volume is allowed.

When an initiator attempts to log in to a volume, the PS Series group compares the initiators IP
address, name, and supplied CHAP user name and password, if any, to each of the access control
records applicable to the volume. Access to the volume is granted only if the initiator meets all the
conditions in one record.

You can set up additional access control records (up to sixteen) to accommodate a variety of access
scenarios. For example, if you wanted to allow two hosts access to a volume, create two access
control records for the volume. In one record, specify conditions that the first host can meet. In the
other record, specify conditions that the second host can meet.

The following flowchart describes how a single access control record can be used to restrict host
access to a volume. The flowchart assumes that target authentication is not configured.

2 EqualLogic Confidential
 Using an Access Control Record to Restrict Volume Access

EqualLogic Confidential 3
 How Initiator Authentication Works
CHAP initiator authentication in a PS Series group proceeds as follows:

1. An initiator attempts to log in (connect) to the target, specifying a CHAP user name and
password. The information must match a CHAP account configured in the group or on an
external RADIUS server.

For example, if you are using the Microsoft iSCSI initiator, specify the CHAP user name and
password (target secret) in the Advanced Settings dialog box.

2. The target sends a unique challenge to the initiator. A challenge is simply a random value
chosen by the target.

3. The initiator combines the challenge with the password and then processes it using a one-way
secure hash function. The initiator then sends the hash result and the user name to the target.

4. The target checks if the user name matches an entry in an access control record for the volume.

5. If there is no matching user name entry in an access control record, access is denied.

If a match exists, the target or the external RADIUS server, depending on your configuration,
checks if the user name matches an entry in the CHAP database.

6. If there is no matching user name entry in the CHAP database, access is denied

If a match exists, the target or the external RADIUS server repeats the hash process using the
challenge and the password (secret) in the database.

7. If the hash result matches the result supplied by the initiator, the target receives a True
response (allow access). If not, the target receives a False response (do not allow access).

8. The target sends the initiator a success (initiator can access target) or failure response (initiator
cannot access target).

How Target Authentication Works

CHAP target authentication in a PS Series group proceeds as follows:

1. Using the iSCSI initiators configuration utility, an administrator enables target authentication
on the iSCSI initiator. The information must match the target authentication user name and
password configured in the PS Series group.
If you are using the Microsoft iSCSI initiator, only specify the target authentication password
(secret) in the Initiator Settings dialog box. The user name is not needed.
2. The initiator attempts to log in (connect) to a target and sends a unique challenge to the target.
3. The target combines the challenge with the groups target authentication password and then
processes it using a one-way secure hash function. The target then sends the hash result and
the user name to the initiator.

4 EqualLogic Confidential
4. The initiator repeats the hash process, using the challenge and the target authentication
password held by the initiator.

5. If the hash result matches the result supplied by the target, the initiator sends the target a
success (target can be accessed by the initiator).

If no match exists, the initiator sends the target a failure response (target cannot be accessed by
the initiator).

Configuring Initiator Authentication

The following sections show how to configure CHAP initiator authentication in a PS Series group.
They describe the two implementation options:

Configuring local CHAP accounts in a group

Specifying an external RADIUS server for the group

Also discussed is how to create an access control record that restricts access to a volume through
CHAP initiator authentication.

Configuring Local CHAP Accounts

To configure local CHAP accounts (CHAP user name and password combinations) for CHAP
initiator authentication, click:

Group Configuration CHAP tab

The Group CHAP window appears. The following window shows three accounts in the group:

EqualLogic Confidential 5
Adding a local CHAP account.

In the Local CHAP panel, select the checkbox next to Enable local CHAP server and then
click Add. The Add CHAP User dialog box appears, as shown next.

Add CHAP User Dialog Box

Specify a CHAP user name and password. If you leave the password field blank, a password will
be generated automatically.

Note: For optimal security, passwords used in CHAP authentication should contain at least 12
characters (preferably random). Individual initiators may have their own rules and
restrictions for length and format. Consult their documentation for details.

By default, the CHAP account is enabled. To disable the account, de-select the checkbox next to
Enable CHAP account. You can later enable the account to activate it. Click OK to create the
account.

After creating a CHAP account, you can create an access control record for the volume and specify
the CHAP user name in the record. To access the volume, a host must supply the user name and its
password. You can set up multiple access control records for a volume and specify a different
CHAP user name in each record. A host must meet the conditions in one access control record to
access the volume. See Creating an Access Control Record That Uses CHAP for more information.

Modifying a local CHAP account.

In the Local CHAP panel, select the user name and click Modify. The Modify CHAP User dialog
box appears. Modify the CHAP account information and click OK.

Deleting a local CHAP account.

In the local CHAP panel, select the user name and click Delete. Confirm that you want to delete
the account.

6 EqualLogic Confidential
 Specifying an External RADIUS Server

If you want to use CHAP accounts configured on an external RADIUS server (for example,
Microsofts IAS) for CHAP initiator authentication, you must configure the RADIUS server with
user names and passwords.

Note: See the Technical Report titled Using Microsofts IAS to Perform CHAP Authentication for
a PS Series Group for detailed information about configuring IAS.

Also, be sure that the RADIUS server is highly available. Downtime will disrupt host access for
any volume that requires CHAP authentication.

To specify an external RADIUS server for initiator authentication, click:

Group Configuration CHAP tab

The Group CHAP window appears. The following window shows two remote servers:

Specifying a RADIUS server.

In the Local CHAP panel, de-select the checkbox next to Enable local CHAP server. Then,
in the Remote CHAP panel, click Add. The Add List Item dialog box appears.

Specify an IP address for a RADIUS server and click OK. Use the ip_address:port format to
specify a port if you are using a port other than the default (1812). You can specify up to two IP
addresses. Only one RADIUS server will be used at one time. The order in which you specify the
IP addresses is the order in which they will be used.

EqualLogic Confidential 7
After specifying a RADIUS server, you can create an access control record for the volume and
specify a CHAP user name (already configured on the RADIUS server) in the record. To access the
volume, a host must supply the user name and its password. You can set up multiple access control
records for a volume and specify a different CHAP user name in each record. A host must meet
the conditions in one access control record to access the volume. See Creating an Access Control
Record That Uses CHAP for more information.

Modifying the IP address for a RADIUS server.

In the Remote CHAP panel, select the IP address from the list of RADIUS servers and then click
Modify. The Modify List Item dialog box appears. Change the IP address and click OK.

Deleting the IP address for a RADIUS server.

In the Remote CHAP panel, select the IP address from the list of RADIUS servers and then click
Delete. If you make a mistake, click Discard Changes.

Creating an Access Control Record That Uses CHAP

After setting up CHAP initiator authentication with local CHAP accounts or an external RADIUS
server, you can create an access control record and specify the CHAP user name to which a volume
will be restricted.

You can create an access control record when you first create a volume, or you can modify a
volume and create one or more access control records. Regardless of the method you use, the
information needed is the same. To access a volume, a host must match all the criteria in one
access control record.

For example, to create an access control record for an existing volume using the Group Manager
GUI, click:

Volumes Access tab

The Volume Access window appears, as shown next.

8 EqualLogic Confidential
 Volume Access Window

Click Add to display the Add Access Control Record dialog box.

Add Access Control Record Dialog Box

Specify a CHAP user name. This user name must match a user name configured locally or on an
external RADIUS server.

If desired, you can specify other conditions that a host must meet, including an IP address or iSCSI
initiator name.

EqualLogic Confidential 9
Note: If your iSCSI initiator supports discovery and you are using a CHAP user name to restrict
access to a volume, it is recommended that you also specify an IP address in the access
control record. If you only use CHAP, initiators that support discovery will attempt to log
in to the target, even if they do not have the right access credentials, resulting in a large
number of events logged in the PS Series group and an inefficient use of resources.
For example, if a host has a software iSCSI initiator, you can specify the IP address
assigned to the network interface (NIC) on the host. For hardware iSCSI initiators, you can
specify the IP address of the host bus adapter on the host.

You can also specify whether you want the record to apply to the volume, its snapshots, or both.
After specifying the information, click OK.

Configuring Target Authentication

To configure a group for CHAP target authentication, in which the target is authenticated by the
initiator, you must first set up initiator authentication, as described in Configuring Initiator
Authentication. Using both initiator and target authentication is called mutual authentication.

Target authentication on a PS Series group is always enabled. The iSCSI initiator determines
whether the target authentication is enforced.

To display the target authentication account name and password for the group, click:

Group Configuration CHAP tab

The Group CHAP window appears, as shown previously.

The Target Authentication panel displays the groups default account name and password (referred
to by some initiators as a secret) required for target authentication. The password displayed here
must match the information held by the iSCSI initiator.

If you want to change the account name or password, in the Target Authentication panel, click
Modify. The Modify Target CHAP Account dialog box appears. Modify the information and click
OK. Be sure to also change the reciprocal information in the iSCSI initiator that will access the
group volumes.

Modify Target CHAP Account Dialog Box

10 EqualLogic Confidential
 Logging in to Volumes
After configuring CHAP initiator authentication, you can log in (connect) to a volume using the
iSCSI initiators configuration utility. You must specify a CHAP user name and password that
matches a CHAP account configured in the group or on an external RADIUS server.

For example, if you are using the Microsoft iSCSI initiator, specify the CHAP user name and
password (target secret) in the Advanced Settings dialog box.

If you have also configured CHAP target authentication, using the initiators configuration utility,
enable target authentication on the iSCSI initiator. The information must match the target
authentication user name and password configured in the PS Series group.

For example, if you are using the Microsoft iSCSI initiator, specify the target authentication
password (secret) in the Initiator Settings dialog box.

More Information
PS Series Array documentation includes the following:

Release Notes. Provides the latest information about PS Series Array .

QuickStart. Describes how to set up the hardware and start using PS Series Array .
Group Administration. Describes how to use the GUI to manage a PS Series group.
This manual provides comprehensive information about product concepts and procedures.
CLI Reference. Describes how to use the command line interface to manage a PS Series group
and individual arrays.
Hardware Maintenance. Provides information about maintaining the array hardware.

Customer Support
For support, visit the EqualLogic Customer Support website where you can download
documentation and firmware and view the FAQs, Knowledge Base, and Tech Reports. From the
EqualLogic website (www.equallogic.com), click Support and log in to a support account. If you
do not have an account, create one by clicking the link under the login prompt.

To contact customer support, send e-mail to supportnp@equallogic.com. If the issue is urgent, call
1-877-887-7337 to speak with a member of the customer support team.

EqualLogic Confidential 11