Administrator Guide

Table Of Contents
To make changes to the access points within an access policy, select a policy and click Modify to open the Edit Access
Policy dialog box. You can create new access points, edit existing access points, or remove access points that belong to this
policy.
To remove an access policy from VDS/VSS access, select the policy name and click Delete. When prompted to conrm the
decision, click Yes.
Add, Modify, or Remove a Basic Access Point:
To create an additional access point for VDS/VSS access, click New to open the New Basic Access Point dialog box. You
can then dene an additional access point.
To change the parameters of an existing access point (CHAP name, iSCSI name, or IP address), select the access point
that you want to edit and click Modify.
To remove a basic access point from VDS/VSS access, select the access point name and click Delete. When prompted to
conrm the decision, click Yes.
Authenticate Initiators with CHAP
CHAP (Challenge Handshake Authentication Protocol) is a network login protocol that uses a challenge-response mechanism. You
can use CHAP to authenticate iSCSI initiators by specifying a CHAP user name in an access control policy. To meet this condition, a
computer must supply the user name and its password (or “secret”) in the iSCSI initiator conguration interface when logging in to
the target.
Using CHAP for iSCSI authentication can help you manage access controls more eciently because it restricts target access by
using user names and passwords, instead of unique IP addresses or iSCSI initiator names.
Before you can use CHAP for initiator authentication, you must set up the CHAP accounts consisting of a user name and password
(or “secret”). Two options are available for accounts; you can use both options simultaneously in a group:
CHAP accounts in the group
Local CHAP accounts do not rely on any external system. You can create up to 100 local CHAP accounts.
CHAP accounts on an external RADIUS authentication server
Using a RADIUS server to manage CHAP accounts is helpful if you are managing a large number of accounts. However,
computer access to targets depends on the availability of the RADIUS server.
NOTE: If you use CHAP for initiator authentication, you can also use target authentication for mutual authentication,
which provides additional security.
Display Local CHAP Accounts
To display local CHAP accounts:
1. Click GroupGroup Conguration.
2. Click the iSCSI tab.
The Local CHAP Accounts panel lists all current CHAP accounts.
NOTE: Starting with rmware v9.1.x, the CHAP password is no longer displayed in clear text format.
Create a Local CHAP Account
CHAP accounts are a method of ensuring that only authorized users can access a PS Series group. You can create local CHAP
accounts or you can use a RADIUS server.
Before you create an account:
You can decide whether to verify iSCSI initiator credentials against local CHAP accounts rst (before verifying external CHAP
accounts on a RADIUS server).
You need the following information:
About Volume-Level Security
117