This website is supported, hosted and funded by Corelan Consulting - https://www.corelan-consulting.com. Please follow us on Facebook (@corelanconsulting) and Twitter (@corelanconsult). Corelan training schedules: https://www.corelan-training.com/index.php/training-schedules



Please consider donating: https://www.corelan.be/index.php/donate/


6,048 views

Connect to Openfiler SAN using CHAP authentication (MS iSCSI Initiator)

Assuming that you’ve made yourself familiar with the procedure on how to allow/deny access to a specific lun based upon IP addresses, then you might have wondered if you can secure access to a LUN even more. After all, spoofing an IP address is not that hard to do, and if IP based ACL is the only security, then you’ll have a false sense of security. So, in case you want to secure your Openfiler based SAN just a little more, this is what you can do. Before explaining the procedure, I’d like to add that it is very very important to exactly follow the sequence that is shown below.

On the openfiler management website, go to the volume that you want to secure. Edit the LUn and go to the iSCSI CHAP Authentiation section for the currently selected volume. Verify that there is no CHAP username/password filled out yet. MS iSCSI Initiator Discovery and Openfiler CHAP authentication don’t work well together, so you’ll have to add the Target in MS iSCSI Initiator without password, then set the password on the filer, refresh the targets and log on using the username/password

First, note the Initiator Name

082207_1239_ConnecttoOp1

Go to the “Discovery” tabsheet and add a Target Portal. Don’t specify a CHAP username and password. Next, go to the “Targets” tabsheet. You should see the lun that is hosted on the filer now (status set to inactive)

Go to the Openfiler administrator, edit the volume, and go to the iSCSI Chap authentication section. Fill out the username and password next to “IncomingUser”

Make sure to use the Initiator name as username, and choose a 12 character password. I’ve noticed that Microsoft isn’t too happy about strange characters, so you’ll need to play with the passwords a bit.

082207_1239_ConnecttoOp2

Click ‘change’

Next, open a ssh shell on your filer and run

[root@san01 ~]# service iscsi-target restart
Stopping iSCSI target service: [ OK ]
Starting iSCSI target service: [ OK ]

[root@san01 ~]#

Go back to the Microsoft iSCSI Initiator client, “Targets” tabsheet, select the Target and click “Log on”.
082207_1239_ConnecttoOp3
Next, click “Advanced”
Set the adapter & IP properties, enable “CHAP logon information” and fill out the user name (leave as is, the Initiator name will be prompted) and password.
082207_1239_ConnecttoOp4
Click “OK” to save, click “OK” to close the “Log On to Target” dialog box.

Look at the status of the Target volume. It should now say “Connected”.

© 2007 – 2008, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories