Which CHAP authentication mechanism is available when using software iSCSI and dependent hardware iSCSI?

Which CHAP authentication mechanism is available when using software iSCSI and dependent hardware iSCSI? (Choose all correct answers)

A.
Mutual CHAP

B.
Per-subnet CHAP

C.
Per-target CHAP

D.
One-way CHAP

Explanation:

Reference:

1) vsphere-esxi-vcenter-server-50-storage-guide.pdf , Page 82,
“For software and dependent hardware iSCSI adapters, ESXi also supports per-target CHAP authentication”

2) ref: http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.storage.doc_50/GUID-3F97FB05-3C92-4040-84E7-D928555B3808.html

“In mutual CHAP authentication, also called bidirectional, an additional level of security enables the initiator to authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters only.”

12 Comments on “Which CHAP authentication mechanism is available when using software iSCSI and dependent hardware iSCSI?

  1. J says:

    On the VCP5 Mock exam, this question asks to choose two. Mutual CHAP and Per-target CHAP are the correct answers. Per-subnet CHAP does not exist, and one-way CHAP is not available when using dependant hardware iSCSI.

    1. Alessio says:

      No, one-way CHAP IS ALSO AVAILABLE when using dependant hardware iSCSI!
      ESXi supports one-way CHAP FOR ALL TYPES of iSCSI initiators, and mutual CHAP only for software and dependent hardware iSCSI.

      http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.storage.doc_50/GUID-3F97FB05-3C92-4040-84E7-D928555B3808.html

      Mutual CHAP and Per-target CHAP are the correct answers, because one-way CHAP IS ALSO AVAILABLE with software iSCSI and dependent hardware iSCSI.

  2. Bazw23 says:

    Can someone please clarify the answer according to vSphere 5 Docs answer should be (A)Mutual Chap, (D)One-Way Chap

    http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.storage.doc_50/GUID-3F97FB05-3C92-4040-84E7-D928555B3808.html

    Choosing CHAP Authentication Method
    ESXi supports one-way CHAP for all types of iSCSI initiators, and mutual CHAP for software and dependent hardware iSCSI.

    Before configuring CHAP, check whether CHAP is enabled at the iSCSI storage system and check the CHAP authentication method the system supports. If CHAP is enabled, enable it for your initiators, making sure that the CHAP authentication credentials match the credentials on the iSCSI storage.

    ESXi supports the following CHAP authentication methods:

    One-way CHAP
    In one-way CHAP authentication, also called unidirectional, the target authenticates the initiator, but the initiator does not authenticate the target.

    Mutual CHAP
    In mutual CHAP authentication, also called bidirectional, an additional level of security enables the initiator to authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters only.

  3. rajab says:

    “For software and dependent hardware iSCSI adapters, you can set one-way CHAP and mutual CHAP for each initiator or at the target level. ”
    P85 storage configuration guide

  4. Bazw23 says:

    As per VCP mock exam the actual question should read

    “Which CHAP authentication mechanisms are ONLY available when using software and dependent hardware iSCSI adapters (Choose Two)?”

    ONLY being the key part which means (a)Mutual Chap and (c)Per-target correct.

  5. Eric says:

    Ed is absolutely right

    A and D

    http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.storage.doc_50%2FGUID-488A90C3-4826-4EB7-BAA4-E9C799AA2C02.html

    Set Up CHAP Credentials for iSCSI Initiator
    You can set up all targets to receive the same CHAP name and secret from the iSCSI initiator at the initiator level. By default, all discovery addresses or static targets inherit CHAP parameters that you set up at the initiator level.

    The CHAP name should not exceed 511 alphanumeric characters and the CHAP secret should not exceed 255 alphanumeric characters. Some adapters, for example the QLogic adapter, might have lower limits, 255 for the CHAP name and 100 for the CHAP secret.

    Prerequisites
    ■ Before setting up CHAP parameters for software or dependent hardware iSCSI, determine whether to configure one-way or mutual CHAP. Independent hardware iSCSI adapters do not support mutual CHAP.

    ■ In one-way CHAP, the target authenticates the initiator.

    ■ In mutual CHAP, both the target and the initiator authenticate each other. Use different secrets for CHAP and mutual CHAP.

    When you configure CHAP parameters, verify that they match the parameters on the storage side.

  6. A & D Here’s the vSphere 5 documentation center instructions that shows the answer to be A & D.
    ONE-WAY or MUTUAL

    Choosing CHAP Authentication Method:
    ESXi supports one-way CHAP for all types of iSCSI initiators, and mutual CHAP for software and dependent hardware iSCSI.

    ESXi supports the following CHAP authentication methods:
    One-way CHAP: In one-way CHAP authentication, also called unidirectional, the target authenticates the initiator, but the initiator does not authenticate the target.
    Mutual CHAP: In mutual CHAP authentication, also called bidirectional, an additional level of security enables the initiator to authenticate the target. VMware supports this method FOR SOFTWARE AND DEPENDENT HARDWARE iSCSI adapters ONLY.

    ***** For software and dependent hardware iSCSI adapters, you can set one-way CHAP and mutual CHAP for each initiator or at the target level. Independent hardware iSCSI supports CHAP only at the initiator level.
    When you set the CHAP parameters, specify a security level for CHAP.

    http://pubs.vmware.com/vsphere-50/index.jsp#com.vmware.vsphere.storage.doc_50/GUID-64D12CC2-3994-44A1-8826-345590969ED3.html?resultof=%2522%254d%2575%2574%2575%2561%256c%2522%2520%2522%256d%2575%2574%2575%2561%256c%2522%2520%2522%2543%2548%2541%2550%2522%2520%2522%2563%2568%2561%2570%2522%2520

    Prerequisites:
    Before setting up CHAP parameters for software and dependent hardware iSCSI, determine whether to configure one-way or mutual CHAP.

    ■ In one-way CHAP, the target authenticates the initiator.
    ■ In mutual CHAP, both the target and initiator authenticate each other. Make sure to use different secrets for CHAP and mutual CHAP.

  7. Aaaahhhhhhhhhhhhhhhhhhh C is ALSO CORRECT!!!

    ESXi and vCenter Server 5 Documentation > vSphere Storage > Configuring iSCSI Adapters and Storage

    For software and dependent hardware iSCSI adapters, ESXi ALSO SUPPORTS PER-TARGET CHAP authentication, which allows you to configure different credentials for each target to achieve greater level of security.

    http://pubs.vmware.com/vsphere-50/index.jsp#com.vmware.vsphere.storage.doc_50/GUID-AC65D747-728F-4109-96DD-49B433E2F266.html?resultof=%2522%2570%2565%2572%252d%2574%2561%2572%2567%2565%2574%2522%2520

  8. Jatinder Bhogal says:

    I must admit this is a tad confusing. I put A + D down for the practice exam and it came up incorrect, but there is obvious evidence in the links shared above that A + D is correct. Which answers are correct for the practice exam? A +C? or A+D? you can only choose 2.

    I’ve seen confusion in some of the other practice test questions too (on this site) and I’m losing faith in the integrity on a VCP certification.

    Any help much appreciated.


Leave a Reply

Your email address will not be published. Required fields are marked *