Iscsi Session Authentication - Cisco MDS 9000 series Configuration Manual
Nx-os ip services multilayer switches
Hide thumbs
Also See for MDS 9000 series:
- Command reference manual (1464 pages) ,
- Configuration manual (344 pages) ,
- Troubleshooting manual (161 pages)
Table of Contents
Advertisement
Chapter 4
Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•
The IPS module or MPS-14/2 module uses the Fibre Channel virtual N port of the iSCSI host and does
a zone-enforced name server query for the Fibre Channel target WWN. If the FC ID is returned by the
name server, then the iSCSI session is accepted. Otherwise, the login request is rejected.
iSCSI Session Authentication
The IPS module or MPS-14/2 module supports the iSCSI authentication mechanism to authenticate the
iSCSI hosts that request access to the storage devices. By default, the IPS modules or MPS-14/2 modules
allow CHAP or None authentication of iSCSI initiators. If authentication is always used, you must
configure the switch to allow only CHAP authentication.
For CHAP user name or secret validation, you can use any method supported and allowed by the Cisco
MDS AAA infrastructure (see the Cisco MDS 9000 Family NX-OS Security Configuration Guide for
more information). AAA authentication supports a RADIUS, TACACS+, or local authentication device.
The aaa authentication iscsi command enables AAA authentication for the iSCSI host and specifies the
method to use.
To configure AAA authentication for an iSCSI user, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Step 2
switch(config)# aaa authentication
iscsi default group RadServerGrp
switch(config)# aaa authentication
iscsi default group TacServerGrp
switch(config)# aaa authentication
iscsi default local
The sections included in this topic are:
•
•
•
OL-19525-01,Cisco MDS NX-OS Release 4.2(1)
responds to the iSCSI host with the list of targets. Each will have either a static iSCSI target name
that you configure or a dynamic iSCSI target name that the IPS module or MPS-14/2 module creates
for it (see the
"Dynamic Mapping" section on page
iSCSI session creation—When an IP host initiates an iSCSI session, the IPS module or MPS-14/2
module verifies if the specified iSCSI target (in the session login request) is allowed by both the
access control mechanisms described in the
If the iSCSI target is a static mapped target, the IPS module or MPS-14/2 module verifies if the
iSCSI host is allowed within the access list of the iSCSI target. If the IP host does not have access,
its login is rejected. If the iSCSI host is allowed, it validates if the virtual Fibre Channel N port used
by the iSCSI host and the Fibre Channel target mapped to the static iSCSI virtual target are in the
same Fibre Channel zone.
If the iSCSI target is an autogenerated iSCSI target, then the IPS module or MPS-14/2 module
extracts the WWN of the Fibre Channel target from the iSCSI target name and verifies if the initiator
and the Fibre Channel target is in the same Fibre Channel zone or not. If they are, then access is
allowed.
Configuring Authentication Mechanism, page 4-24
Configuring Local Authentication, page 4-24
Restricting iSCSI Initiator Authentication, page 4-25
4-6).
"iSCSI-Based Access Control" section on page
Purpose
Enters configuration mode.
Uses RADIUS servers that are added in the group called
RadServerGrp for the iSCSI CHAP authentication.
Uses TACACS+ servers that are added in the group called
TacServerGrp for the iSCSI CHAP authentication.
Uses the local password database for iSCSI CHAP
authentication.
Cisco MDS 9000 Family NX-OS IP Services Configuration Guide
Configuring iSCSI
4-21.
4-23
Advertisement
Table of Contents
