Unable to Retrieve Both Incoming and Outgoing CHAP Authentication Flow Due to Missing Command Option.
search cancel

Unable to Retrieve Both Incoming and Outgoing CHAP Authentication Flow Due to Missing Command Option.

book

Article ID: 397372

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

While attempting to retrieve both incoming and outgoing CHAP authentication flows, only a single direction is displayed.

Environment

8.0 U3D

Cause

This issue can occur if the -d option is not included when using the esxcli command to check CHAP settings. Without specifying -d mutual or -d uni, the command retrieves only one direction of the CHAP authentication flow (either incoming or outgoing), rather than both. As a result, the full CHAP configuration may not be visible.

Resolution

To display both incoming (target to initiator) and outgoing (initiator to target) CHAP settings on an ESXi host, you can use the esxcli iscsi CHAP “get” command. The syntax is as follows:

 

# esxcli iscsi adapter target portal auth chap get -A vmhba** -a ***.**.**.***** -n ***.****-**.***.***********-powerstore-**************-*-*********** -d uni ***.****-**.***.***********-powerstore-**************-*-***********

Sample output:

  Address ***.**.**.*****
  TargetName ***.****-**.***.***********-powerstore-**************-*-***********
   Method chap
   Direction uni
  Name ***.****-**.****.******************
   Level required
   Inheritance false
  Parent vmhba**

# esxcli iscsi adapter target portal auth chap get -A vmhba** -a ***.**.**.***** -n ***.****-**.***.***********-powerstore-**************-*-*********** -d mutual ***.****-**.***.***********-powerstore-**************-*-***********

Sample output:

  Address ***.**.**.*****
  TargetName ***.****-**.***.***********-powerstore-**************-*-***********
   Method chap
   Direction mutual
  Name ***.****-**.****.******************
   Level required
   Inheritance false
  Parent vmhba**

 

Here, --adapter (or -A) specifies the iSCSI adapter (e.g., vmhba**), and --direction (or -d) defines the CHAP authentication direction:

 

  • uni is used for one-way CHAP, which covers only outgoing authentication.

  • mutual is used for bidirectional CHAP, enabling both incoming and outgoing authentication.

 

For instance, to fetch CHAP settings in both directions (mutual CHAP) for the adapter vmhba33:

 

# esxcli iscsi adapter auth chap get -A vmhba** -d uni

# esxcli iscsi adapter auth chap get -A vmhba** -d mutual

 


This will show the CHAP name and level for both directions. If no CHAP is configured, the output might display something like:

 

Direction: uni

Name:

Level: prohibited

And

Direction: mutual

Name:

Level: prohibited

 

This indicates that CHAP is currently disabled. In summary, the -d mutual and -d uni options are used to instruct ESXi to display the bidirectional and unidirectional CHAP settings, respectively.

 

esxcli iscsi Commands

Powered by Wolken Software