Table of ContentsView in Frames

Defining RADIUS as the authentication method for initiators

You can define RADIUS as the authentication method for one or more initiators, as well as make it the default authentication method that applies to initiators that are not on this list.

About this task

You can generate a random password, or you can specify the password you want to use. Inbound passwords are saved on the RADIUS server and outbound passwords are saved on the storage system.

Steps

  1. To generate a random password, enter the following command:
    iscsi security generate

    The storage system generates a 128-bit random password.

    Note: If you generate a random inbound password, you must add this password to the RADIUS server.

  2. For each initiator, enter the following command:
    iscsi security add -i initiator -s chap -f radius [-o outpassword -m outname]

    initiator is the initiator name in the iSCSI nodename format.

    Use the -f option to ensure that initiator only uses RADIUS as the authentication method. If you do not use the -f option, the initiator only attempts to authenticate via RADIUS if the local CHAP authentication fails.

    outpassword is a password for outbound CHAP authentication. It is stored locally on the storage system, which uses this password for authentication by the initiator.

    outname is a user name for outbound CHAP authentication. The storage system uses this user name for authentication by the initiator.

    Note: If you generated a random password, you can use this string for outpassword. If you enter a string, the storage system interprets an ASCII string as an ASCII value and a hexadecimal string, such as 0x1345, as a binary value.

  3. To define RADIUS as the default authentication method for all initiators not previously specified, enter the following command:
    iscsi security default -s chap -f radius [-o outpassword -m outname]

Examples

system1> iscsi security add -i iqn.1992-08.com.microsoft:system1 
-s chap -f radius
system1> iscsi security show
Default sec is CHAP RADIUS Outbound password: **** Outbound username: 
init: iqn.1994-05.com.redhat:10ca21e21b75 auth: CHAP RADIUS Outbound password: **** Outbound username: icroto
system1> iscsi security default -s chap -f radius

After you finish

After enabling RADIUS authentication for the initiators, start the RADIUS client service on the storage system.