Napp-IT ISCSI-Target with CHAP not working for Windows Initiators

MaddinK

New Member
May 16, 2018
4
0
1
54
Hello,

at lest I do not get it up and running ;-)

Comstar configured within the good Napp-IT WebGUI without CHAP works instantly.
But for security reasons one likes to have CHAP enabled...

There is not any documention or hint how to do it and the obvious way within the gui:
- edit iscsi targets
- Select authentification method "CHAP"
- Submit
- Select target
- Enter Enter CHAP user (opt)
- Enter Enter CHAP password "Should be something with 12 to 16 letters"


results to something like
executing: itadm modify-target -a chap -S /var/web-gui/_log/chap_passwd.txt -u Username iqn.2010-09.org.napp-it:1548085313
or without username:
executing: itadm modify-target -a chap -S /var/web-gui/_log/chap_passwd.txt -u none iqn.2010-09.org.napp-it:1548085313

But whatever you try, Windows always has "error at Authentication"

Is there anybody who has ever get it up and running?

Thanks for any help!!
 

MaddinK

New Member
May 16, 2018
4
0
1
54
Yes I found this article too, but I stopped working with /reading it, when the first command "iscsiadm" only results in:
-bash: iscsiadm: command not found

Napp-IT uses instead the command "itadm" for configuration...

Btw. The issue seems to be independent from the windows version. I have tested so far win8.1, 2008-R2 and 2012-R2

Thanks again for any help...
 

gea

Well-Known Member
Dec 31, 2010
2,500
842
113
DE
iscsiadm is the management tool for the Comstar initiator
It will become available when you install the initiator via pkg install initiator

but when you only want basic chap target authentication, you do not need
follow steps 3 and4 in Configuring Authentication in Your iSCSI-Based Storage Network - Oracle Solaris Administration: Devices and File Systems
I suppose the missing part is that you must set the chap password for the Windows initiator iqn

What I have done in Windows
- connect the target in Windows (chap disabled), then disconnect in Windows (state in Windows is inactive, you know now that the target is working)


- Click on connect and advanced

You can enable Chap here with a name (iqn.1991-05.com.microsoft:..) and a password

On Solaris, you must add a password for this initiator name with itadm. At console enter

itadm create-initiator -s iqn.1991-05.com.microsoft:.. (iqn from Windows)
enter a password (min 12 char)

Then Windows can authenticate


I will add this step into napp-it
You can also pre set the initiator passwords in Solarish. The Windows initiator iqn can be requested in Konfiguration (Windos iSCSI Initiator)
 

MaddinK

New Member
May 16, 2018
4
0
1
54
Ahhhhhhh......you are absolutely right. Your second link is the correct one (Initiator != target ;-)

In the GUI you see only one command, which results to step 3 in the official docu.
<itadm modify-target -a chap -S ...chap_passwd.txt -u Username iqn.....
Step4 may be missing and I will try to do this step this afternoon in the shell.
Step5 is only related to altenate names.

I cant believe that the error is related to wrong/missing steps in the windows GUI, because I am familiar to mouning ISCSI-tagets from my Synology NAS inside windows. And I did this already exactely how you described it.

I will report!

Thanks a lot for your assistance!!
 

gea

Well-Known Member
Dec 31, 2010
2,500
842
113
DE
The basic idea behind Comstar Chap authentication seems that you can restrict access to an initiator (example a Windows iSCSI Initiator) and for this initiator then to one or more targets. This is why you must define the allowed iniatiors via itadm create-initiator iqn..

Use the same password for all targets that you want to connect from this initiator. For a different host use another target and set its initiator as well.
 

MaddinK

New Member
May 16, 2018
4
0
1
54
Thanks for your professional support GEA!!
Now CHAP is working as expected.

The keypoint is the missing step 4 in Configuring Authentication in Your iSCSI-Based Storage Network - Oracle Solaris Administration: Devices and File Systems
so one has to add this command in the napp-it shell:
itadm create-initiator -s "iqn..bla..windowsclient...iqn......" (iqn can be easily copy/pasted from the windows connect dialog)
Enter CHAP secret:
Re-enter secret:


Then in the still open windows Connect dialog the same CHAP password and you are done.
That way you can easily create unique ISCSI-initator-definitions "IQN and CHAP-PWD" on your Napp-IT and be sure that sure that windows client can connect only to his target.

Thanks again for your great help!!
 

gea

Well-Known Member
Dec 31, 2010
2,500
842
113
DE
I have added a menu to add the initiators with a secret in napp-it menu Comstar > Targets > add initiator chap
(available in 19.dev)
 
  • Like
Reactions: MaddinK