6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled


vSphere allows for the use of bidirectional authentication of both the iSCSI target and host. Bidirectional Challenge-Handshake Authentication Protocol (CHAP), also known as Mutual CHAP, should be enabled to provide bidirectional authentication.


By not authenticating both the iSCSI target and host, there is a potential for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication can mitigate this risk.

Note: Choosing not to enforce bidirectional authentication can make sense if you create a dedicated network or VLAN to service all your iSCSI devices. If the iSCSI facility is isolated from general network traffic, it is less vulnerable to exploitation.


To enable bidirectional CHAP authentication for iSCSI traffic, perform the following:

From the vSphere Web Client, select the host.

Click Configure then expand Storage.

Select Storage Adapters then select the iSCSI Adapter.

Under Properties click on Edit next to Authentication.

Next to Authentication Method select Use bidirectional CHAP from the dropdown.

Specify the outgoing CHAP name.

Make sure that the name you specify matches the name configured on the storage side.

To set the CHAP name to the iSCSI adapter name, select 'Use initiator name'.

To set the CHAP name to anything other than the iSCSI initiator name, deselect 'Use initiator name' and type a name in the Name text box.

Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret as your storage side secret.

Specify incoming CHAP credentials. Make sure your outgoing and incoming secrets do not match.

Click OK.

Click the second to last symbol labeled Rescan Adapter.

Alternately, run the following PowerCLI command:

# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq 'Iscsi'} | Set-VMHostHba # Use desired parameters here

See Also