Introduction
StarWind implements and fully supports the Challenge-Handshake Authentication Protocol (CHAP) for the authentication of users. Challenge Handshake Authentication Protocol is a type of authentication in which the authentication agent (typically a network server) sends the client program a random value that is used only once and an ID value. Both sender and peer share a predefined secret. The peer concatenates the random value (or nonce), the ID and the secret, and calculates a one-way hash using MD5. The hash value is sent to the authenticator, which in turn builds that same string on its side, calculates the MD5 sum itself and compares the result with the value received from the peer. If the values match, the peer is authenticated. By transmitting the hash only, the secret can’t be reverse-engineered. The ID value is increased with each CHAP dialogue to protect against replay attacks. The access can be limited to all server targets at once or set permissions for each target separately. In case of limiting access to certain targets only and keep other targets shared with all, the permissions need to be set for those targets only. Otherwise, the access limitation for all targets may be done by setting permissions for connection. Also, the one-side authentication or mutual authentication can be used.
Configuring CHAP Settings in StarWind Management Console
StarWind enables global and individual access CHAP restrictions to targets. Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and a variable challenge value. CHAP requires that both client and server know the plain text of the secret, although it is never sent over the network.
NOTE: More information about CHAP can be found here.
Setting global permissions
1. Select one of the hosts in the StarWind Management Console tree.
2. Click the CHAP Permissions tab. Right-click the main tab area and select Add Permission from the shortcut menu.
3. In New Permission Item, specify the required settings:
- Target CHAP name: is a name used by CHAP for initiator authentication.
- Target secret: is a secret that is used by CHAP for initiator authentication.
- Initiator CHAP name: is a name for the CHAP mutual authentication.
- Initiator secret: is a secret for the CHAP mutual authentication.
Click OK.
4. Check the new CHAP Permission tab.
NOTE: Repeat this step to add as many permissions as needed. Now all clients need to provide CHAP settings to access any target on this server.
NOTE: If the partner authentication settings are not changed, StarWind will not be able to synchronize HA devices to the partner node after the service restart.
Setting individual target permissions
1. Select the required target in the StarWind Management Console tree.
2. Click Add Permission in the CHAP Permissions area.
3. In the New Permission Item window, specify the required settings:
- Target CHAP name: is a name used by CHAP for initiator authentication.
- Target secret: is a secret that is used by CHAP for initiator authentication.
- Initiator CHAP name: is a name for the CHAP mutual authentication.
- Initiator secret: is a secret for the CHAP mutual authentication.
Click OK.
NOTE: Repeat this step to add as many permissions as needed. Now all clients need to provide CHAP settings to access target on this server.
NOTE: If the partner authentication settings are not changed, StarWind will not be able to synchronize HA devices to the partner node after the service restart.
Setting permissions for HA target
1. Open StarWind Management Console.
2. Choose partner device. Click Change Partner Authentication Settings or right-click the device and select Change Partner Authentication Settings from the shortcut menu.
3. Select CHAP in Authentication Type.
4. Indicate Local Name and Local Secret. Click OK.
Selecting the Hypervisor
Please select the required option:
Configuring CHAP Settings on Hyper-V
Setting target permissions
1. Open iSCSI Initiator.
2. Select Target in the Discovered targets area. Click Connect.
3. Click Advanced…
4. To enable CHAP, select the Enable CHAP log on checkbox.
5. Indicate Name and Target secret. Click OK.
6. Open Properties… in the iSCSI Initiator and check Authentication of the connected session.
7. Check Favorite Target Details.
NOTE: Target will not be reconnected after the service restart in case it does not have CHAP Authentication.
Changing CHAP initiator configuration
1. Open iSCSI initiator and click Configuration.
NOTE: Click Change… to modify the initiator name. Click CHAP… to set the initiator CHAP secret.
Configuring CHAP Settings on ESXi
1. Click Add dynamic target in Dynamic Targets. Click Edit Settings.
2. Uncheck Inherit from parent.
3. Write Name and Secret in the corresponding fields. Click Save.
4. Click the Save configuration button.
NOTE: Target will not be reconnected after the service restart if it does not have CHAP Authentication.
Configuring CHAP Settings on XEN
1. Open XenCenter and click on the Server tab. Then select Storage tab and click New SR… .
2. Select iSCSI as Virtual disk storage and click Next.
3. Indicate Name in New Storage Repository. Click Next to proceed.
4. Indicate Target host name/IP address and check Use CHAP. Type username and password. Click Finish.
