iSCSI Authentication Setup Guidelines and Scenarios
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
switch(config-radius)# server 10.1.1.1
Configure an IPv6 address.
switch(config)# aaa group server radius iscsi-radius-group
switch(config-radius)# server 001:0DB8:800:200C::4180
switch(config)# aaa authentication iscsi default group iscsi-radius-group
Set up the iSCSI authentication method to require CHAP for all iSCSI clients.
Step 4
switch(config)# iscsi authentication chap
Verify that the global iSCSI authentication setup is for CHAP.
Step 5
switch# show iscsi global
iSCSI Global information
Authentication: CHAP
....
Verify that the AAA authentication information is for iSCSI.
Step 6
switch# show aaa authentication
switch# show radius-server groups
total number of groups:2
following RADIUS server groups are configured:
switch# show radius-server
Global RADIUS shared secret:mds-1
....
following RADIUS servers are configured:
To configure an iSCSI RADIUS server, follow these steps:
Configure the RADIUS server to allow access from the Cisco MDS switch's management Ethernet IP
Step 1
address.
Configure the shared secret for the RADIUS server to authenticate the Cisco MDS switch.
Step 2
Configure the iSCSI users and passwords on the RADIUS server.
Step 3
iSCSI Transparent Mode Initiator
This scenario assumes the following configuration (see
Cisco MDS 9000 Family CLI Configuration Guide
43-68
default: local
console: local
iscsi: group iscsi-radius-group
dhchap: local
group radius:
server: all configured radius servers
group iscsi-radius-group:
server: 10.1.1.1 on auth-port 1812, acct-port 1813
10.1.1.1:
available for authentication on port:1812
available for accounting on port:1813
<---------------- Verify CHAP
<--------- Group name
<-------- Verify secret
<----------- Verify the server IPv4 address
Figure
Chapter 43
Configuring iSCSI
43-21):
OL-18084-01, Cisco MDS NX-OS Release 4.x