iSCSI CHAP overview

Challenge Handshake Authentication Protocol (CHAP) is a widely supported authentication method, where a password exchange is used to authenticate the source or target of communication. CHAP uses a three-way handshake algorithm to verify the identity of the ESXi host and, if applicable, of the iSCSI target. The verfication is based on a shared secret key that both the initiator and the target are aware of. The actual password is never sent over the wire; instead, CHAP uses the hash value of the secret.

iSCSI initiators on ESXi hosts can use CHAP for authentication purposes. Two CHAP authentication methods are available:

1. unidirectional CHAP – also called one-way CHAP. With this method, only the target authenticates the initiator; the initiator does not authenticate the target. You need to specify the CHAP secret that will be shared by both the initiator and the target.

2. bidirectional CHAP – also called mutual CHAP. With this method, the target authenticates the initiator, and the initiator also authenticates the target. You need to specify different target and initiator secrets.

ESXi hosts support CHAP authentication at the adapter level, where all targets receive the same secret key from the iSCSI initiator. For software iSCSI and dependent hardware iSCSI initiators, the per-target CHAP authentication is supported.


CHAP is disabled by default on ESXi hosts.
Geek University 2021