user manual
Cisco MDS 9000 Family Configuration Guide
OL-6973-03, Cisco MDS SAN-OS Release 2.x
Chapter 35 Configuring iSCSI
Configuring iSCSI
Enforcing Access Control
•
•
its login is rejected. If the iSCSI host is allowed, it validates if the virtual Fibre Channel N port used
by the iSCSI host and the Fibre Channel target mapped to the static iSCSI virtual target are in the
same Fibre Channel zone.
If the iSCSI target is an auto-generated iSCSI target, then the IPS module or MPS-14/2 module
extracts the WWN of the Fibre Channel target from the iSCSI target name and verifies if the initiator
and the Fibre Channel target is in the same Fibre Channel zone or not. If they are, then access is
allowed.
The IPS module or MPS-14/2 module uses the Fibre Channel virtual N port of the iSCSI host and does
a zone-enforced name server query for the Fibre Channel target WWN. If the FCID is returned by the
name server, then the iSCSI session is accepted. Otherwise, the login request is rejected.
The IPS module or MPS-14/2 module supports iSCSI authentication mechanism to authenticate iSCSI
hosts that request access to storage. By default, IPS module or MPS-14/2 modules allow CHAP or None
authentication of iSCSI initiators. If authentication should always be used, you must configure the
switch to allow only CHAP authentication.
For CHAP username or secret validation you can use any method supported and allowed by the Cisco
MDS AAA infrastructure (see Chapter 28, “Configuring RADIUS and TACACS+”). AAA
authentication supports RADIUS, TACACS+, or local authentication device.
The aaa authentication iscsi command enables aaa authentication for the iSCSI host and specifies the
method to use.