2012-11-29 06:23 AM
I am using SnapDrive for Windows 6.4P1 and when I try to connect to a filer with sdcli iscsi_initiator establish_session -h # -tp # -t iqn -np ip port -c user password I get the following error:
Unable to establish an iSCSI session.
Error: Object reference not set to an instance of an object.
If I disable CHAP and connect without the -c parameter it connects fine. So, has anyone else run in to this or did I muck up the command line (assuming everything but the -c parameter is correct because without it the connection works). I do use the iqn of the client as the username for CHAP.
I am also curious how many people really use CHAP security since iSCSI has to be on a layer-2 network from trusted hosts.
2012-11-29 11:16 AM
I've used CHAP successfully with iSCSI on a NetApp Lun. Specifiy a username/password other than the UID for CHAP authentication. It's a point to point connection and doesn't query LDAP. You can put any user/pass you want, but it must be specified and match on the target and initiator. As far as "why" anyone would use it, there are networks in certian Enterprises both private and Gov't that require all iSCSI traffic to be encrypted. I've worked for them for years and it's a mandate. Even though all iSCSI nodes are on a private VLAN that is physically segregated from the production network, there is still a threat of an Man in the Middle attack on the wire.
Message was edited by: James Whitlock
2012-11-29 12:19 PM
We are using CHAP right now on everything, and the connection works from the GUI, just not the CLI. Same FUD can be used for FC, with CHAPv2 being broken as a security mechanism, I'm wondering what the value is right now.