Send documentation comments to mdsfeedback-doc@cisco.com.
20-18
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 20 iSCSI Configuration
Configuring iSCSI
Note Only the Challenge Handshake Authentication Protocol (CHAP) authentication method is supported.

No Authentication

If no authentication is configured, local authentication is used.
Set the iSCSI authentication method to none to configure a network with no authentication. See the
“Configuring an Authentication Mechanism” section on page 20-18.

Configuring an Authentication Mechanism

During an iSCSI login, both the iSCSI initiator and target have the option to authenticate each other. By
default, the IPS module allows either CHAP authentication or no authentication from iSCSI hosts.
Note The authentication for a Gigabit Ethernet interface or subinterface configuration overrides the
authentication for the global interface configuration.
To configure an authentication method for iSCSI, follow these steps:
Step 1 In Fabric Manager, select End Devices > iSCSI from the Physical Attributes pane. You see the iSCSI
tables in the Information pane.
In Device Manager, select IP > iSCSI. You see the iSCSI dialog box.
Step 2 Click the Global tab. You see the iSCSI authentication configuration table.
Step 3 In Fabric Manager, select chap or none from the authMethod column.
Or in Device manager, check the Chap check box to configure DH-CHAP authentication, or check none
for no authentication.
Step 4 Click the Apply Changes icon in Fabric Manager or click Apply in Device Manager to save these
changes, or click Undo Changes in Fabric Manager or click Cancel in Device Manager to discard
changes.

Restricting iSCSI Initiator Authentication

By default, the iSCSI initiator can use any user name in RADIUS or local database in authenticating
itself to the IPS module or MPS-14/2 module (the CHAP user name is independent of the iSCSI initiator
name). The IPS module or MPS-14/2 module allows the initiator to login as long as it provides a correct
response to the CHAP challenge sent by the switch. This can be a problem if one CHAP user name and
password had been compromised.
To restrict an initiator to use a specific user name for CHAP authentication using Device Manager,
follow these steps:
Step 1 Choose IP > iSCSI and select the Initiator tab. You see the iSCSI initiators for this switch.
Step 2 Set the AuthUser field to the username that you want to restrict the iSCSI initiatorto for CHAP
authentication.