StarWind Resource Library

StarWind iSCSI SAN & NAS: Challenge-Handshake Authentication Protocol (CHAP)

Published: July 10, 2011

Introduction

StarWind supports the Challenge-Handshake Authentication Protocol (CHAP) for authentication of users. Challenge Handshake Authentication Protocol is a type of authentication in which the authentication agent (typically a network server) sends the client program a random value that is used only once and an ID value. Both the sender and peer share a predefined secret. The peer concatenates the random value (or nonce), the ID and the secret and calculates a one-way hash using MD5. The hash value is sent to the authenticator, which in turn builds that same string on its side, calculates the MD5 sum itself and compares the result with the value received from the peer. If the values match, the peer is authenticated. By transmitting only the hash, the secret can’t be reverse-engineered. The ID value is increased with each CHAP dialogue to protect against replay attacks.

You can limit access to all server targets at once or set permissions for each targets separately. If you want limit access to certain targets only and remain other targets shared for all, you need to set permissions for those targets only. Otherwise you may limit access for all targets by setting permissions for connection.

Also you can use one-side authentication or mutual authentication.

 

Configuring Chap Settings on Server

Launch the StarWind console selecting Start -> All Programs -> StarWind Software -> StarWind -> StarWind. After the console is launched its icon appears in the system tray. Double click the icon with the left mouse button or single click it with the right and select Start Management pup-up menu item. From the StarWind Servers tree please select the server you want to connect to. Press the right mouse button over the desired host and select the Connect popup menu item. You will be prompted to enter the login and password. Default ones are: root, starwind. You can always change them later. To set global target permissions (which are applied to all targets) connected to the StarWind Service, click the Targets tree node then click CHAP Permissions tab.

Select Add Permission pop-up menu item to continue.

New Permission dialog appears. Specify Target CHAP name and Target secret only if you want use one-side authentication. If you want use mutual authentication specify also Initiator CHAP name and Initiator CHAP secret.

Press the OK button.

You can repeat this step to add permissions as many as you need. Now all clients need to provide CHAP settings to access any target on this server.

To set CHAP settings for certain target not for all targets at once (individual CHAP permissions) you need click on the target then click CHAP Permissions tab of the target.

The other steps would be the same.

 

Connecting the Target that Use Chap Authentication (MS iSCSI initiator)

Launch the Microsoft iSCSI Software Initiator application Start->All Programs->Microsoft iSCSI Initiator-> Microsoft iSCSI Initiator. Select the Discovery Tab. In the Target Portals group, click the Add button.

Press the Add button.

In the Add Target Portal dialog enter IP address or DNS name of the StarWind target server.

Press the OK button to continue.

Click on the Targets tab. Select the IQN of the target just added.

Press the Log On… button.

The Log On to Target dialog now appears.

Press the Advanced button to continue.

Advanced Settings dialog appears. Enter only Local name and Local secret
from StarWind CHAP settings into User name and Target secret fields.

Press the OK button to continue.

Press the OK button to continue.

If successful, the initiator is now logged on to StarWind.

Press the OK button to exit the application.

 

Connecting the Target that Use Chap Authentication (StarPort)

Launch the StarPort console selecting Start -> All Programs -> StarWind Software -> StarPort -> StarPort. After the console is launched its icon appears in the system tray. Double click the icon with the left mouse button or single click it with the right and select Start Management menu item from the pop-up menu.

Select the Add Device… menu item to continue.

New device installation wizard will appears. On this step of Wizard please select Remote iSCSI device.

Press the Next button to continue.

Type in the IP address of the computer with StarWind installed and port of that machine.

Press the Next button to continue.

On this step select target from list and check “Use CHAP authentication” option.

Press the Next button to continue.

Provide only Local name and Local secret from StarWind CHAP settings into first two fields if you want use one-side authentication. If you want use mutual authentication check Perform mutual authentication and provide Peer name and Peer secret into other two fields.

Press the Next button to continue.

The information about the recently connected device is displayed on the last wizard page (see image below). If all names and secrets were provided without errors, target would be connected.

Press the Finish button to exit the wizard. After these steps the device will be accessible from client computer.