h1. How to Simplify Initiator CHAP Management Using a RADIUS Server
You can use a third-party RADIUS server that acts as a centralized authentication service to simplify CHAP secret management. This setup is only useful when the initiator is requesting bidirectional CHAP authentication. You must still specify the initiator's CHAP secret, but you are not required to specify the CHAP secret for each target on an initiator when using bidirectional authentication with a RADIUS server. RADIUS can be independently configured on either the initiator or the target. The initiator and the target do not have to use RADIUS.
# Become superuser.
# Configure the initiator node with the IP address and port of the RADIUS server.
The default port is 1812.
{code}
# iscsiadm modify initiator-node --radius-server 10.0.0.72:1812
{code}
# Configure the initiator node with the shared secret of the RADIUS server.
The RADIUS server must be configured with a shared secret for iSCSI to be able to interact with the server.
{code}
# iscsiadm modify initiator-node --radius-shared-secret
{code}
# Enable the use of the RADIUS server.
{code}
# iscsiadm modify initiator-node --radius-access enable
{code}
# Set up the other aspects of CHAP bidirectional authentication as normal.
{code}
# iscsiadm modify initiator-node --authentication CHAP
# iscsiadm modify target-param --bi-directional-authentication enable <target-iqn>
# iscsiadm modify target-param --authentication CHAP <target-iqn>
{code}
# Configure the RADIUS server with:
#* The identity of this node (for example, its IP address)
#* The shared secret this node uses to communicate with the RADIUS server
#* The target CHAP name (for example, target iqn) and target CHAP secret for each target that needs to be authenticated
h5. Where to Go Next
* [How to Simplify Target CHAP Management Using a RADIUS Server]
You can use a third-party RADIUS server that acts as a centralized authentication service to simplify CHAP secret management. This setup is only useful when the initiator is requesting bidirectional CHAP authentication. You must still specify the initiator's CHAP secret, but you are not required to specify the CHAP secret for each target on an initiator when using bidirectional authentication with a RADIUS server. RADIUS can be independently configured on either the initiator or the target. The initiator and the target do not have to use RADIUS.
# Become superuser.
# Configure the initiator node with the IP address and port of the RADIUS server.
The default port is 1812.
{code}
# iscsiadm modify initiator-node --radius-server 10.0.0.72:1812
{code}
# Configure the initiator node with the shared secret of the RADIUS server.
The RADIUS server must be configured with a shared secret for iSCSI to be able to interact with the server.
{code}
# iscsiadm modify initiator-node --radius-shared-secret
{code}
# Enable the use of the RADIUS server.
{code}
# iscsiadm modify initiator-node --radius-access enable
{code}
# Set up the other aspects of CHAP bidirectional authentication as normal.
{code}
# iscsiadm modify initiator-node --authentication CHAP
# iscsiadm modify target-param --bi-directional-authentication enable <target-iqn>
# iscsiadm modify target-param --authentication CHAP <target-iqn>
{code}
# Configure the RADIUS server with:
#* The identity of this node (for example, its IP address)
#* The shared secret this node uses to communicate with the RADIUS server
#* The target CHAP name (for example, target iqn) and target CHAP secret for each target that needs to be authenticated
h5. Where to Go Next
* [How to Simplify Target CHAP Management Using a RADIUS Server]