Skip to main content

How iSCSI authentication works

Contributors netapp-thomi

During the initial stage of an iSCSI session, the initiator sends a login request to the storage system to begin an iSCSI session. The storage system then either permits or denies the login request, or determine that a login is not required.

iSCSI authentication methods are:

  • Challenge Handshake Authentication Protocol (CHAP)--The initiator logs in using a CHAP user name and password.

    You can specify a CHAP password or generate a hexadecimal secret password. There are two types of CHAP user names and passwords:

    • Inbound—​The storage system authenticates the initiator.

      Inbound settings are required if you are using CHAP authentication.

    • Outbound—​This is an optional setting to enable the initiator to authenticate the storage system.

      You can use outbound settings only if you define an inbound user name and password on the storage system.

  • deny—​The initiator is denied access to the storage system.

  • none—​The storage system does not require authentication for the initiator.

You can define the list of initiators and their authentication methods. You can also define a default authentication method that applies to initiators that are not on this list.