HOWTO: Securing ISCSI LUNs with Mutual CHAP on Windows

This document covers enabling Mutual CHAP to secure iSCSI LUNs presented by a NetApp controller. The hosts

mounting the LUNs will be Windows 2003, Windows 2008 and Window 2012.

Assumptions:

1) You have installed and fully patched Windows 2003, 2008, 2012.

2) You have a NetApp controller or ONTAP Simulator with iSCSI licensed and running.

3) The LUNs in this document will be small simply to demonstrate the configuration steps. NetApp LUN

management software, such as SnapDrive for Windows, will not be used in order to keep the configuration

simple. Note that SnapDrive does support Mutual CHAP so use it if you have licenses. SnapDrive makes LUN

management very easy.

4) The native DSM MPIO feature of Windows 2008 and 2012 will be enabled. On Windows 2003, the NetApp DSM

MPIO will be used because Windows 2003 is quite lame.

5) In a Production environment, you should have a separate vlan to isolate your storage traffic (iSCSI and NFS) and

send that traffic over a dedicated NIC or multiple Teamed/Bonded NICs. You don’t have to set it up this way but

it is a best practice.

6) Your iSCSI NIC has an IP address configured and you can ping the storage array. You should not route your iSCSI

traffic so a default gateway is not needed on the iSCSI NIC; only an IP and default mask.

7) Your NetApp volume(s) are already created were the LUNs will reside.

8) Determine in advance and a strong CHAP secret (think of a strong password) for the iSCSI Initiator on the server

and a different one for the NetApp Controller.

Install MPIO and the iSCSI Service in Windows

This step loads the prerequisites and allows you to capture the iSCSI iqn of the hosts that will be mapped to the LUNs.

Windows 2003

1) Install the Microsoft iSCSI initiator. Download it free from the URL below.

a. http://www.microsoft.com/en-us/download/details.aspx?id=18986

b. Double-click the Initiator-2.08-build3825-x86fre.exe file > Next > select all options and click Next > I

agree with the license and click Next > Finish > the server will automatically reboot.

2) Install Microsoft KB patches: KB919117, KB945119, KB982109, KB931300 and KB937382.

a. For the patches listed above, be care to select the proper platform (x86 or x64). Sometimes they only list

x86 patches and you have to click the “show hotfixes for all platforms” or “expand all” to see the other

OS options.

b. Note - in the next step to install the DSM MPIO, if any patches are missing on your server it will tell what

patches it needs.

3) Install NetApp DSM MPIO. Download it from the URL below. You need a NOW account and a license.

a. https://support.netapp.com/NOW/download/software/mpio_win/4.0/

b. Double-click ntap_win_mpio_4.0_setup_x86.msi > Next > click OK on the ALUA message > accept the

license and click Next > enter the license and click Next (check the NetApp support site for your licenses)

> use the default system account and click Next > do not install HyperV utilities and click Next > Next >

Next > Next > Install > ignore the no FC adapter message, click OK (you aren’t using fiber channel) >

Finish > Yes to reboot.

4) Launch the Microsoft iSCSI Initiator and capture the iqn name.

a. Double-click the Microsoft iSCSI Initiator icon on the desktop.

b. You can get the iSCSI Initiator iqn

on the General tab.

c. You can also get the initiator by typing the iscsicli command in a cmd prompt window. The iqn is listed in

brackets. Press CTRL+C to break out of the command. Copy the iqn for this host to a text file because

you will need it when configuring Mutual CHAP on the NetApp controller.

i. For example: iqn.1991-05.com.microsoft:2003test1.lab.slice2.com

Windows 2008

1) On Windows 2008, the iSCSI Initiator is already installed by default but MPIO is not.

2) In Server Manager, select Features. On the far right click Add Features.

3) In the center of the Features screen, select Multipath I/O and click Next > Install > Close.

4) Enable the iSCSI initiator. Click Start > Administrative Tools > iSCSI Initiator. The first time this is run, the service

must be started. Click Yes.

5) Launch the iSCSI Initiator by clicking Start | Administrative Tools > iSCSI Initiator.

6) You can get the iSCSI Initiator iqn on the Configuration tab or by simply typing the iscsicli command in a cmd

prompt window. The iqn is listed in brackets. Press CTRL+C to break out of the command. Copy the iqn for this

host to a text file because you will need it when configuring Mutual CHAP on the NetApp controller.

a. For example: iqn.1991-05.com.microsoft:netapptools.lab.slice2.com

Windows 2012

1) On the main Server Manager Dashboard, in the center select #2 to Add roles and features.

2) On the Roles and Features Wizard, click Next > Next > Next > Next. On the Select Features screen select

Multipath I/O and click Next > Install > click Close when done.

3) Enable the iSCSI initiator. In Server Manager in the upper right, click Tools > iSCSI Initiator. The first time this is

run, the service must be started. Click Yes.

4) You can get the iSCSI Initiator iqn on the Configuration tab or by simply typing the iscsicli command in a cmd

prompt window. The iqn is listed in brackets. Press CTRL+C to break out of the command. Copy the iqn for this

host to a text file because you will need it when configuring Mutual CHAP on the NetApp controller.

a. For example: iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com

Configure the iSCSI NIC

This step eliminates features and options that are not required for

iSCSI. Keep it simple right? You should have at least two NICs; one for

regular network traffic and one or more for storage traffic. You should

have already configured an IP address with no gateway for this NIC. If

not, do so before you continue.

Windows 2003

1) Right-click the NIC designated for iSCSI traffic and select rename. Rename it iSCSI NIC 01 or something

descriptive and press Enter to save the change. Note that numbering the NICs is helpful if you are going to Team

multiple NICs.

2) Right-click iSCSI NIC 01 and select Properties. Deselect Client

for Microsoft Networks and File and Printer Sharing. iSCSI does

not use or need them. At the bottom, select both options

(Show icon and Notify me). Select Internet protocol (TCP/IP)

and click Properties.

3) On the General tab, click Advanced. Note that no gateway or

DNS IP addresses are defined.

4) On the DNS tab, deselect Append parent suffix and Register

this connection and click OK > OK and then Close to save the

changes. There is no need to engage DNS for the iSCSI

sessions on this NIC.

5) Right-click the iSCSI NIC 01 and select properties. On the

General tab click Configure.

6) On the Power Management tab deselect Allow the computer

to turn off this device to save power and click OK.

7) For reference: On the Advanced tab, you have tuning options

that can be configured such as the Offload variables and

Jumbo Packets (or frames). If budget allows, sending your

storage traffic over 10 gigabit Ethernet with jumbo frames

enabled would provide the best performance. This is where

you would set that option if you had the ability to do so.

8) Perform the same steps above for Windows 2008 and 2012.

Note that on 2008 and 2012, deselect IPv6 on the Networking

tab.

Create the Initiator Groups and LUNs on the NetApp controller

1) I’ll use the NetApp OnCommand System Manager v2.2 LUN Wizard to create the LUNs. Click Start > All Programs

> NetApp > OnCommand System Manager > NetApp OnCommand System Manager 2.2. Double-click the

controller were you will create the LUNs.

2) Expand Storage and select LUNs.

On the right, select the Initiator

Group tab and click Create.

3) On the General tab,

enter a descriptive

name and select

Windows from the OS

drop-down menu.

4) On the Initiators tab, click Add and

enter the server’s iqn (initiator) that

you recorded in the earlier steps.

Click Create when done. In this case,

it’s a Windows 2003 server so the

Initiator Group has WIN2003 in its

name. You can call it whatever you

want.

5) On the LUN Management tab click Create.

6) The Wizard will launch. Click Next on the Welcome Screen. On the General properties screen, enter a

descriptive name for the LUN, a solid description of the LUN (like SQL db lun 01 or SPS index lun 01, etc.), set the

type to Windows (for Win2003 only), enter your LUN size, select whether you want a Thin provisioned LUN or

not and click Next. For Windows 2008 and 2012 select Type: Windows 2008.

7) Click Select an existing volume

(you should have already

created the volume), enter

the path and volume name

and click Next. Or click Browse

and select the volume.

8) On the Initiator Mapping

screen, under Map on the left,

check the

iSCSI_MCHAP_WIN2003

Initiator Group. On the right

under LUN ID, enter 0 and click

Next > Next > Finish.

a. The LUN ID number

can start at whatever

you want. Just be

sequential as you

create LUNs so it’s

easier to manage (for

example LUN ID 0, 1,

2, 3, 4, 5, 6 etc.).

b. Note: the Initiator

Group and LUN Wizard

for Win 2008 and Win

2012 is exactly the

same except on the LUN properties screen, make sure you select Windows 2008 Type from the drop-

down menu for Windows 2008 and Windows 2012.

9) When done, you should have three LUNs mapped to the correct host based on iqn.

Configure Mutual CHAP on the NetApp Controller

This step is done for each initiator that you want to use Mutual CHAP on the NetApp controller. For this document a

simple password will be used. Make sure you have a strong password of at least 12 characters.

1) Obtain the storage controller’s iqn and verify the Portal.

a. Login to the controller and enter the following command.

> iscsi nodename

iSCSI target nodename: iqn.1992-08.com.netapp:sn.84167939

> iscsi portal show

Network portals: IP address TCP Port TPGroup Interface 10.10.10.11 3260 1000 e0a

b. Verify that the LUNS are mapped properly and online.

> lun show

/vol/MCHAPVOL/2003_iSCSI_MCHAP_01 5.0g (5371107840) (r/w, online, mapped) /vol/MCHAPVOL/2008_iSCSI_MCHAP_01 5.0g (5371107840) (r/w, online, mapped) /vol/MCHAPVOL/2012_iSCSI_MCHAP_01 5.0g (5371107840) (r/w, online, mapped)

c. Verify the Initiator Group (iGroup). Note that they are listed as not logged in. They will be after you complete the MPIO and CHAP configuration on the host.

> igroup show iSCSI_MCHAP_WIN

iSCSI_MCHAP_WIN (iSCSI) (ostype: windows): iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com (not logged in) iqn.1991-05.com.microsoft:netapptools.lab.slice2.com (not logged in) iqn.1991-05.com.microsoft:2003test1.lab.slice2.com (not logged in)

2) Using the list of iqn’s from the Windows hosts run the following commands to configure Mutual CHAP. Note that

it’s a common practice to use the iqn of the host as the inname and the iqn of the controller as the outname.

This way there is no possible way to get confused, especially in an environment with large numbers of iSCSI

LUNs deployed. The downside is that the command to configure Mutual CHAP on the controller is very long and

quite ugly.

The syntax is as follows:

> iscsi security add -i initiator -s chap -p inpassword -n inname -o outpassword -m outname

-i initiator – this is the iqn or initiator you want to configure for Mutual CHAP (Host iqn).

inpassword - is the inbound password for CHAP authentication. The storage system uses the inbound password

to authenticate the initiator (Host passwd).

inname - is a user name for inbound CHAP authentication. The storage system uses the inbound user name to

authenticate the initiator (Host iqn).

outpassword - is a password for outbound CHAP authentication. The storage system uses this password for

authentication by the initiator (NetApp passwd).

outname - is a user name for outbound CHAP authentication. The storage system uses this user name for

authentication by the initiator (NetApp iqn).

For the Windows 2003 host:

> iscsi security add -i iqn.1991-05.com.microsoft:2003test1.lab.slice2.com -s chap -p MUTUALCHAP2003 -n

iqn.1991-05.com.microsoft:2003test1.lab.slice2.com -o NETAPPMUTUALCHAP -m iqn.1992-

08.com.netapp:sn.84167939

For the Windows 2008 host:

> iscsi security add -i iqn.1991-05.com.microsoft:netapptools.lab.slice2.com -s chap -p MUTUALCHAP2008 -n

iqn.1991-05.com.microsoft:netapptools.lab.slice2.com -o NETAPPMUTUALCHAP -m iqn.1992-

08.com.netapp:sn.84167939

For the Windows 2012 host:

> iscsi security add -i iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com -s chap -p MUTUALCHAP2012 -n

iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com -o NETAPPMUTUALCHAP -m iqn.1992-

08.com.netapp:sn.84167939

3) Verify the security configuration on the initiators.

> iscsi security show

Default sec is None

init: iqn.1991-05.com.microsoft:2003test1.lab.slice2.com auth: CHAP Inbound password: **** Inbound

username: iqn.1991-05.com.microsoft:2003test1.lab.slice2.com Outbound password: **** Outbound

username: iqn.1992-08.com.netapp:sn.84167939

init: iqn.1991-05.com.microsoft:netapptools.lab.slice2.com auth: CHAP Inbound password: **** Inbound

username: iqn.1991-05.com.microsoft:netapptools.lab.slice2.com Outbound password: **** Outbound

username: iqn.1992-08.com.netapp:sn.84167939

init: iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com auth: CHAP Inbound password: **** Inbound

username: iqn.1991-05.com.microsoft:win2012std01.lab.slice2.com Outbound password: **** Outbound

username: iqn.1992-08.com.netapp:sn.84167939

Configure MPIO, iSCSI Mutual CHAP and format the LUN

This step enables multi-path and configures iSCSI Mutual CHAP with the server’s iSCSI Initiator and the NetApp

controller. Finally you will initialize the Disk and format with NTFS.

Windows 2003

1) On the Desktop, double-click the Microsoft iSCSI Initiator. On

the General tab, click Secret.

2) Enter the NetApp controller’s CHAP secret and

click OK. For reference in this document, the

secret is NETAPPMUTUALCHAP (from the

NetApp command in the previous section).

3) On the Discovery tab click Add.

4) Enter the IP address of your NetApp

controller’s NIC that is responsible for iSCSI

traffic and click Advanced.

5) On the General tab, perform the following:

a. Local Adapter: select Microsoft

iSCSI Initiator

b. Source IP: select the IP associated

with the storage traffic on the

server (iSCSI NIC 01).

c. Select CHAP login information

d. The username should be the

server’s iqn.

e. Target secret is the hosts CHAP

password: MUTUALCHAP2003

f. Select Perform mutual

authentication.

g. Click OK > OK. Note that if you fat

fingered a password or something

is not configured properly, when

you click OK it will fail.

6) The controller console will spit out a message similar to:

Sat Jun 1 18:01:48 EDT [iscsi.notice:notice]: ISCSI: New session from initiator iqn.1991-

05.com.microsoft:2003test1.lab.slice2.com at IP addr 10.10.10.80.

7) On the Targets tab, select the Inactive

target and click Log On.

8) On the Log On to Target window, select both

Automatically restore this connection and

Enable multi-path and click Advanced.

9) On the General tab, perform the following:

a. Local adapter: select Microsoft

iSCSI Initiator.

b. Source IP: select the IP associated

with the storage traffic on the

server (iSCSI NIC 01).

c. Target Portal: select the NetApp

IP/port pairing.

d. Select CHAP login information

e. The username should be the

server’s iqn.

f. Target secret is the hosts CHAP

password: MUTUALCHAP2003

g. Select Perform mutual

authentication.

h. Click OK > OK > OK to close the

Microsoft iSCSI Initiator

completely.

10) Launch Computer

Management, expand

Storage and select Disk

Management. The Disk

initialization wizard will

automatically launch. Click

Next > Select Disk 1 and

complete the Wizard.

11) In Disk Manager, right-click Disk 1 and

select New Volume.

12) Click Next > select Simple and click Next > Next > assign a drive letter and click Next > Next > Finish. You now

have a new disk.

13) Right-click the new disk and select Properties. On

the Hardware tab you should see a NetApp multi-

path disk.

Windows 2008

1) Click Start > All Programs >

Administrative Tools | ISCSI

Initiator. Click Yes to the first

time start pop-up message if

it appears. On the right,

select the Configuration tab

and click CHAP.

2) Enter the NetApp controller’s

CHAP secret and click OK. For

reference, the secret is

NETAPPMUTUALCHAP (from

the command in the previous

section).

3) On the Discovery tab click

Discover Portal.

4) Enter the IP address of your storage array and

click Advanced.

5) On the General tab, perform the following:

a. Local Adapter: select Microsoft

iSCSI Initiator

b. Initiator IP: select the IP associated

with the storage traffic on the

server (iSCSI NIC 01).

c. Select Enable CHAP log on

d. The Name should be the server’s

iqn

e. Target secret is the hosts CHAP

password: MUTUALCHAP2008

f. Select Perform mutual

authentication

g. Click OK > OK. Note that if you fat

fingered the password or

something is not configured

properly, when you click OK it will

fail.

6) On the Targets tab, select the Inactive

target and click Connect.

7) On the Connect to Target window, select

both Add this connection and Enable

multi-path and click Advanced.

8) On the General tab, perform the following:

a. Local adapter: select Microsoft

iSCSI Initiator.

b. Initiator IP: select the IP associated

with the storage traffic on the

server (iSCSI NIC 01).

c. Target Portal: select the NetApp

IP/port pairing.

d. Select Enable CHAP log on

e. The Name should be the server’s

iqn.

f. Target secret is the hosts CHAP

password: MUTUALCHAP2008

g. Select Perform mutual

authentication

h. Click OK > OK > OK to close the

Microsoft iSCSI Initiator completely.

9) Setup MPIO. Click Start > Administrative

Tools > MPIO. On the Discover Multi-Paths

tab select Add support for iSCSI devices,

click Add and when prompted click Yes to

reboot the server.

10) After the reboot, verify that MPIO changes

were successful. Start > Administrative Tool

> MPIO. Make sure the

MSFT2005iSCSIBusType_0x9 Hardware ID

is present on the MPIO Devices tab. If so,

click Cancel to close. If not, repeat the step

above.

11) Launch the iSCSI Initiator. Start >

Administrative Tool > iSCSI Initiator. On

the Targets tab click properties. On the

Sessions tab, in the Session Information

section you should see Authentication:

Mutual CHAP. Click Devices.

12) On the Devices window click MPIO.

13) This is where you set the MPIO policy. It

defaults to Round Robin which is fine. Click

Cancel and exit out of all windows.

14) In Server Manager expand

Storage and select Disk

Management. Right-click Disk 1

and select Online.

15) Right-click Disk 1 again and

select Initialize Disk.

16) Select Disk 1 and the partition style and

click OK. Read the Note at the bottom to

decide on MBR vs. GPT.

17) Right-click the black line to the right of Disk 1

and select New Simple Volume. Run through the

Wizard and configure as needed (or just accept

the defaults on each screen).

18) You now have a disk drive E:\.

19) Right-click the disk and select

Properties.

20) On the Hardware tab you should see a NetApp

multi-path disk. Click Cancel to exit.

Windows 2012

Windows 2012 is essentially the exact process as Windows 2008. The only real differences are the interface and

navigation for Server Manager, Disk Management and Computer Management.

The only steps depicted below are how to find the iSCSi Initiator and MPIO off the Tools menu. Other than that just

run through the Windows 2008 steps above. When you get the MPIO step just look at #2 below. When you get to

the point when you need find Disk Management to initialize the disk see #3 and #4 below.

1) In Server Manager, in the upper right select Tools > iSCSI

Initiator.

2) In Server Manager, in the upper right select Tools >

MPIO.

3) In Server Manager, in the upper right select Tools >

Computer Management.

4) Expand Storage and select Disk

Management. Right-click Disk 1 and

select Online.

5) You are done! Hope this helps.