Napp-IT ISCSI-Target with CHAP not working for Windows Initiators

Discussion in 'Solaris, Nexenta, OpenIndiana, and napp-it' started by MaddinK, Jan 21, 2019.

  1. MaddinK

    MaddinK New Member

    Joined:
    May 16, 2018
    Messages:
    4
    Likes Received:
    0
    Hello,

    at lest I do not get it up and running ;-)

    Comstar configured within the good Napp-IT WebGUI without CHAP works instantly.
    But for security reasons one likes to have CHAP enabled...

    There is not any documention or hint how to do it and the obvious way within the gui:
    - edit iscsi targets
    - Select authentification method "CHAP"
    - Submit
    - Select target
    - Enter Enter CHAP user (opt)
    - Enter Enter CHAP password "Should be something with 12 to 16 letters"


    results to something like
    executing: itadm modify-target -a chap -S /var/web-gui/_log/chap_passwd.txt -u Username iqn.2010-09.org.napp-it:1548085313
    or without username:
    executing: itadm modify-target -a chap -S /var/web-gui/_log/chap_passwd.txt -u none iqn.2010-09.org.napp-it:1548085313

    But whatever you try, Windows always has "error at Authentication"

    Is there anybody who has ever get it up and running?

    Thanks for any help!!
     
    #1
  2. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,058
    Likes Received:
    660
  3. MaddinK

    MaddinK New Member

    Joined:
    May 16, 2018
    Messages:
    4
    Likes Received:
    0
    Yes I found this article too, but I stopped working with /reading it, when the first command "iscsiadm" only results in:
    -bash: iscsiadm: command not found

    Napp-IT uses instead the command "itadm" for configuration...

    Btw. The issue seems to be independent from the windows version. I have tested so far win8.1, 2008-R2 and 2012-R2

    Thanks again for any help...
     
    #3
  4. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,058
    Likes Received:
    660
    iscsiadm is the management tool for the Comstar initiator
    It will become available when you install the initiator via pkg install initiator

    but when you only want basic chap target authentication, you do not need
    follow steps 3 and4 in Configuring Authentication in Your iSCSI-Based Storage Network - Oracle Solaris Administration: Devices and File Systems
    I suppose the missing part is that you must set the chap password for the Windows initiator iqn

    What I have done in Windows
    - connect the target in Windows (chap disabled), then disconnect in Windows (state in Windows is inactive, you know now that the target is working)


    - Click on connect and advanced

    You can enable Chap here with a name (iqn.1991-05.com.microsoft:..) and a password

    On Solaris, you must add a password for this initiator name with itadm. At console enter

    itadm create-initiator -s iqn.1991-05.com.microsoft:.. (iqn from Windows)
    enter a password (min 12 char)

    Then Windows can authenticate


    I will add this step into napp-it
    You can also pre set the initiator passwords in Solarish. The Windows initiator iqn can be requested in Konfiguration (Windos iSCSI Initiator)
     
    #4
  5. MaddinK

    MaddinK New Member

    Joined:
    May 16, 2018
    Messages:
    4
    Likes Received:
    0
    Ahhhhhhh......you are absolutely right. Your second link is the correct one (Initiator != target ;-)

    In the GUI you see only one command, which results to step 3 in the official docu.
    <itadm modify-target -a chap -S ...chap_passwd.txt -u Username iqn.....
    Step4 may be missing and I will try to do this step this afternoon in the shell.
    Step5 is only related to altenate names.

    I cant believe that the error is related to wrong/missing steps in the windows GUI, because I am familiar to mouning ISCSI-tagets from my Synology NAS inside windows. And I did this already exactely how you described it.

    I will report!

    Thanks a lot for your assistance!!
     
    #5
  6. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,058
    Likes Received:
    660
    The basic idea behind Comstar Chap authentication seems that you can restrict access to an initiator (example a Windows iSCSI Initiator) and for this initiator then to one or more targets. This is why you must define the allowed iniatiors via itadm create-initiator iqn..

    Use the same password for all targets that you want to connect from this initiator. For a different host use another target and set its initiator as well.
     
    #6
  7. MaddinK

    MaddinK New Member

    Joined:
    May 16, 2018
    Messages:
    4
    Likes Received:
    0
    Thanks for your professional support GEA!!
    Now CHAP is working as expected.

    The keypoint is the missing step 4 in Configuring Authentication in Your iSCSI-Based Storage Network - Oracle Solaris Administration: Devices and File Systems
    so one has to add this command in the napp-it shell:
    itadm create-initiator -s "iqn..bla..windowsclient...iqn......" (iqn can be easily copy/pasted from the windows connect dialog)
    Enter CHAP secret:
    Re-enter secret:


    Then in the still open windows Connect dialog the same CHAP password and you are done.
    That way you can easily create unique ISCSI-initator-definitions "IQN and CHAP-PWD" on your Napp-IT and be sure that sure that windows client can connect only to his target.

    Thanks again for your great help!!
     
    #7
  8. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,058
    Likes Received:
    660
    I have added a menu to add the initiators with a secret in napp-it menu Comstar > Targets > add initiator chap
    (available in 19.dev)
     
    #8
    MaddinK likes this.
Similar Threads: Napp-IT ISCSI-Target
Forum Title Date
Solaris, Nexenta, OpenIndiana, and napp-it Trouble Initializing Disks OmniOS / Napp-it Apr 12, 2019
Solaris, Nexenta, OpenIndiana, and napp-it Napp-It bouncing message on the bottom of Web GUI Mar 24, 2019
Solaris, Nexenta, OpenIndiana, and napp-it Napp-IT Multi target replication Mar 13, 2019
Solaris, Nexenta, OpenIndiana, and napp-it napp-it: Replicate to an old/formerly Filesystem Mar 11, 2019
Solaris, Nexenta, OpenIndiana, and napp-it Napp-it ZFS Filesystems menu disappearing. Mar 5, 2019

Share This Page