hit counter script

Iscsi Session Authentication - Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual

Cisco mds 9000 family cli configuration guide - release 4.x (ol-18084-01, february 2009)
Hide thumbs Also See for AP776A - Nexus Converged Network Switch 5020:
Table of Contents

Advertisement

Chapter 43
Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The IPS module or MPS-14/2 module uses the Fibre Channel virtual N port of the iSCSI host and does
a zone-enforced name server query for the Fibre Channel target WWN. If the FC ID is returned by the
name server, then the iSCSI session is accepted. Otherwise, the login request is rejected.

iSCSI Session Authentication

The IPS module or MPS-14/2 module supports the iSCSI authentication mechanism to authenticate the
iSCSI hosts that request access to the storage devices. By default, the IPS modules or MPS-14/2 modules
allow CHAP or None authentication of iSCSI initiators. If authentication is always used, you must
configure the switch to allow only CHAP authentication.
For CHAP user name or secret validation, you can use any method supported and allowed by the Cisco
MDS AAA infrastructure (see
authentication supports a RADIUS, TACACS+, or local authentication device.
The aaa authentication iscsi command enables AAA authentication for the iSCSI host and specifies the
method to use.
To configure AAA authentication for an iSCSI user, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Step 2
switch(config)# aaa authentication
iscsi default group RadServerGrp
switch(config)# aaa authentication
iscsi default group TacServerGrp
switch(config)# aaa authentication
iscsi default local
The sections included in this topic are:
OL-18084-01, Cisco MDS NX-OS Release 4.x
responds to the iSCSI host with the list of targets. Each will have either a static iSCSI target name
that you configure or a dynamic iSCSI target name that the IPS module or MPS-14/2 module creates
for it (see the
"Dynamic Mapping" section on page
iSCSI session creation—When an IP host initiates an iSCSI session, the IPS module or MPS-14/2
module verifies if the specified iSCSI target (in the session login request) is allowed by both the
access control mechanisms described in the
If the iSCSI target is a static mapped target, the IPS module or MPS-14/2 module verifies if the
iSCSI host is allowed within the access list of the iSCSI target. If the IP host does not have access,
its login is rejected. If the iSCSI host is allowed, it validates if the virtual Fibre Channel N port used
by the iSCSI host and the Fibre Channel target mapped to the static iSCSI virtual target are in the
same Fibre Channel zone.
If the iSCSI target is an autogenerated iSCSI target, then the IPS module or MPS-14/2 module
extracts the WWN of the Fibre Channel target from the iSCSI target name and verifies if the initiator
and the Fibre Channel target is in the same Fibre Channel zone or not. If they are, then access is
allowed.
Authentication Mechanism, page 43-24
Local Authentication, page 43-24
Restricting iSCSI Initiator Authentication, page 43-25
"iSCSI-Based Access Control" section on page
Chapter 34, "Configuring RADIUS and
Purpose
Enters configuration mode.
Uses RADIUS servers that are added in the group called
RadServerGrp for the iSCSI CHAP authentication.
Uses TACACS+ servers that are added in the group called
TacServerGrp for the iSCSI CHAP authentication.
Uses the local password database for iSCSI CHAP
authentication.
Cisco MDS 9000 Family CLI Configuration Guide
43-6).
TACACS+"). AAA
Configuring iSCSI
43-21.
43-23

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents