Specifications

ManualsBrandsCisco ManualsComputer equipment5428 - SN Router

111

112

113

114

115

116

117

118

119

120

9-2

Cisco SN 5428-2 Storage Router Software Configuration Guide

78-15471-01

Chapter 9 Configuring Authentication

Prerequisite Tasks

Before performing AAA authentication configuration tasks on the storage router, make sure you have

configured system parameters as described in Chapter 2, “First-Time Configuration,” or Chapter 3,

“Configuring System Parameters.” If the storage router is deployed for SCSI routing, you should also

configure SCSI routing instances as described in Chapter 6, “Configuring SCSI Routing,” before

proceeding. See the iSCSI driver readme file for details on configuring IP hosts for iSCSI authentication.

Note AAA authentication configuration settings are cluster-wide elements and are shared across a cluster. All

AAA configuration and management functions are performed from a single storage router in a cluster.

Issue the show cluster command to identify the storage router that is currently performing AAA

configuration and management functions.

Using Authentication

AAA is Cisco’s architectural framework for configuring a set of three independent security functions in

a consistent, modular manner. Authentication provides a method of identifying users (including login

and password dialog, challenge and response, and messaging support) prior to receiving access to the

requested object, function, or network service.

The SN 5428-2 Storage Router implements the authentication function for three types of authentication:

• iSCSI authentication—provides a mechanism to authenticate all IP hosts that request access to

storage via a SCSI routing instance. IP hosts can also verify the identity of a SCSI routing instance

that responds to requests, resulting in two-way authentication.

• Enable authentication—provides a mechanism to authenticate users requesting access to the

SN 5428-2 in Administrator mode via the CLI enable command or an FTP session.

• Login authentication—provides a mechanism to authenticate users requesting access to the

SN 5428-2 in Monitor mode via the login process from a Telnet session, SSH session or the

management console.

iSCSI Authentication

When enabled, iSCSI drivers provide user name and password information each time an iSCSI TCP

connection is established. iSCSI authentication uses the iSCSI Challenge Handshake Authentication

Protocol (CHAP) authentication method.

iSCSI authentication can be enabled for specific SCSI routing instances. Each SCSI routing instance

enabled for authentication can be configured to use a specific list of authentication services, or it can be

configured to use the default list of authentication services.

For IP hosts that support two-way authentication, the SCSI routing instance can also be configured to

provide user name and password information during the iSCSI TCP connection process.

Note iSCSI authentication is available for SN 5428-2 storage routers deployed for SCSI routing or transparent

SCSI routing only; it is not available for storage routers deployed for FCIP.