Enable Mutual iSCSI Authentication with ESXCLI

Mutual authentication is supported for software iSCSI and dependent hardware iSCSI, but not for independent hardware iSCSI.

For information on iSCSI CHAP, see Setting iSCSI CHAP.

Prerequisites

  • Verify that CHAP authentication is already set up when you start setting up mutual CHAP.
  • Verify that CHAP and mutual CHAP use different user names and passwords. The second user name and password are supported for mutual authentication on the storage side.
  • Verify that CHAP and mutual CHAP use compatible CHAP levels.

Procedure

  1. Enable authentication. 
    esxcli <conn_options> iscsi adapter auth chap set --direction=uni --chap_username=<name> --chap_password=<pw> --level=[prohibited, discouraged, preferred, required] --secret=<string> --adapter=<adapter_name>
    The specified chap_username and secret must be supported on the storage side.
  2. List possible VMkernel NICs to bind. 
    esxcli <conn_options> iscsi logicalnetworkportal list
  3. Enable mutual authentication. 
    esxcli <conn_options> iscsi adapter auth chap set --direction=mutual --mchap_username=<m_name> --mchap_password=<m_pwd> --level=[prohibited, required] --secret=<string> --adapter=<adapter_name>
    The specified mchap_username and secret must be supported on the storage side.
  4. After setup is complete, perform rediscovery and rescan all storage devices.
    The following example performs the rediscovery and rescan operations. 
    esxcli <conn_options> iscsi adapter discovery rediscover
esxcli <conn_options> storage core adapter rescan --adapter=vmhba36