Skip to main content

Guidelines for using CHAP authentication

You should follow certain guidelines when using CHAP authentication.

  • If you define an inbound user name and password on the storage system, you must use the same user name and password for outbound CHAP settings on the initiator. If you also define an outbound user name and password on the storage system to enable bidirectional authentication, you must use the same user name and password for inbound CHAP settings on the initiator.

  • You cannot use the same user name and password for inbound and outbound settings on the storage system.

  • CHAP user names can be 1 to 128 bytes.

    A null user name is not allowed.

  • CHAP passwords (secrets) can be 1 to 512 bytes.

    Passwords can be hexadecimal values or strings. For hexadecimal values, you should enter the value with a prefix of “0x” or “0X”. A null password is not allowed.

  • For additional restrictions, you should see the initiator’s documentation.

    For example, the Microsoft iSCSI software initiator requires both the initiator and target CHAP passwords to be at least 12 bytes if IPsec encryption is not being used. The maximum password length is 16 bytes regardless of whether IPsec is used.

Related concepts