September, 20 1pm PT
Live StarWind presentation
Meet industry-first
software-defined NVMe
over Fabrics
Target and Initiator
for Microsoft Hyper-V and
VMware vSphere

StarWind Virtual SAN® Challenge-Handshake Authentication Protocol (CHAP)

Published: August 6, 2018

INTRODUCTION

StarWind implements and fully supports the Challenge-Handshake Authentication Protocol (CHAP) for the authentication of users. Challenge Handshake Authentication Protocol is a type of authentication in which the authentication agent (typically a network server) sends the client program a random value that is used only once and an ID value. Both sender and peer share a predefined secret. The peer concatenates the random value (or nonce), the ID and the secret, and calculates a one-way hash using MD5. The hash value is sent to the authenticator, which in turn builds that same string on its side, calculates the MD5 sum itself and compares the result with the value received from the peer. If the values match, the peer is authenticated. By transmitting the hash only, the secret can’t be reverse-engineered. The ID value is increased with each CHAP dialogue to protect against replay attacks. The access can be limited to all server targets at once or set permissions for each target separately. In case of limiting access to certain targets only and keep other targets shared with all, the permissions need to be set for those targets only. Otherwise, the access limitation for all targets may be done by setting permissions for connection. Also, a one-side authentication or mutual authentication can be used.

A full set of up-to-date technical documentation can always be found here, or by pressing the Help button in the StarWind Management Console.

For any technical inquiries please visit our online communityFrequently Asked Questions page, or use the support form to contact our technical support department.

Configuring CHAP Settings in StarWind Management Console

StarWind enables global and individual access CHAP restrictions to targets. Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and a variable challenge value. CHAP requires that both client and server know the plain text of the secret, although it is never sent over the network.

NOTE: More information about CHAP can be found here.

Setting global permissions

1. Select one of the hosts in the StarWind Management Console tree.

2. Click the CHAP Permissions tab. Right-click the main tab area and select Add Permission from the shortcut menu.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

3. In New Permission Item, specify the required settings:

  • Target CHAP name: is a name used by CHAP for initiator authentication.
  • Target secret: is a secret that is used by CHAP for initiator authentication.
  • Initiator CHAP name: is a name for the CHAP mutual authentication.
  • Initiator secret: is a secret for the CHAP mutual authentication.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

Click OK.

4. Check the new CHAP Permission tab.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

NOTE: Repeat this step to add as many permissions as needed. Now all clients need to provide CHAP settings to access any target on this server.

NOTE: If the partner authentication settings are not changed, StarWind will not be able to synchronize HA devices to the partner node after the service restart.

Setting individual target permissions

5. Select the required target in the StarWind Management Console tree.

6. Click Add Permission in the CHAP Permissions area.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

7. In the New Permission Item window, specify the required settings:

  • Target CHAP name: is a name used by CHAP for initiator authentication.
  • Target secret: is a secret that is used by CHAP for initiator authentication.
  • Initiator CHAP name: is a name for the CHAP mutual authentication.
  • Initiator secret: is a secret for the CHAP mutual authentication.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

Click OK.

NOTE: Repeat this step to add as many permissions as needed. Now all clients need to provide CHAP settings to access target on this server.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

NOTE: If the partner authentication settings are not changed, StarWind will not be able to synchronize HA devices to the partner node after the service restart.

Setting permissions for HA target

8. Open StarWind Management Console.

9. Choose partner device. Click Change Partner Authentication Settings or right-click the device and select Change Partner Authentication Settings from the shortcut menu.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

10. Select CHAP in Authentication Type.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

11. Indicate Local Name and Local Secret. Click OK.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

Configuring CHAP Settings on Windows

Setting target permissions

1.Open iSCSI Initiator.

2. Select Target in Discovered targets area. Click Connect.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

3. Click Advanced…

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

4. To enable CHAP, select Enable CHAP log on checkbox.

5. Indicate Name and Target secret. Click OK.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

6. Open Properties… in the iSCSI Initiator and check Authentication of the connected session.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

7. Check Favorite Target Details.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

NOTE: Target will not be reconnected after the service restart in case it does not have CHAP Authentication.

Changing CHAP initiator configuration

8. Open iSCSI initiator and click Configuration.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

NOTE: Click Change… to modify the initiator name. Click CHAP… to set the initiator CHAP secret.

Configuring CHAP Settings on ESXi

Setting target permissions

1.Click Add dynamic target in Dynamic Targets.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

2. Click Edit Settings.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

3. Uncheck Inherit from parent.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

4. Write Name and Secret in the corresponding fields. Click Save.

5. Click Save configuration.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

NOTE: Target will not be reconnected after the service restart if it does not have CHAP Authentication.

Configuring CHAP Settings on XEN

1. Open XenCenter and click on the Server tab. Then select Storage tab. Click New SR… .

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

2. Select iSCSI and click Next.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

3. Indicate Name in New Storage Repository. Click Next to proceed.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

4. Indicate Target host name/IP address and check Use CHAP. Type username and password. Click Finish.

StarWind Virtual SAN® Challenge Handshake Authentication Protocol (CHAP)

CONCLUSION

The instructions provided in this guide allow successful configuration of CHAP permissions in StarWind Virtual SAN using such hypervisors as Microsoft Hyper-V, VMware ESXi, Citrix Xen. As a result, the system will be provided with advanced security due to enabled CHAP Authentication that protects the system from non-authenticated connections.