ESXi iSCSI Change CHAP Algorithms
search cancel

ESXi iSCSI Change CHAP Algorithms

book

Article ID: 411337

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article explains the iSCSI CHAP (Challenge-Handshake Authentication Protocol) authentication algorithm support in VMware ESXi. Beginning with **ESXi 7.0**, only **MD5** is supported as the hashing algorithm for CHAP authentication.

Environment

VMware vSphere ESXi 7.X and later

 

Cause

When configuring or troubleshooting iSCSI CHAP authentication on ESXi 7.0 or later, you may observe the following:

  • The ESXi host fails to connect to an iSCSI target that requires a CHAP algorithm other than MD5 (for example, SHA-1 or SHA-256).
  • Storage vendor documentation lists support for multiple CHAP algorithms, but the ESXi host only negotiates MD5.
  • Attempting to enforce non-MD5 CHAP algorithms on the iSCSI target results in login failures.

Resolution

VMware ESXi 7.0 and later versions only implement **MD5** for iSCSI CHAP authentication.

This is by design. Although the CHAP protocol specification allows for different digest algorithms, ESXi limits support to MD5 for interoperability and consistency reasons.

  • Ensure that your iSCSI targets are configured to accept **MD5** for CHAP authentication when used with ESXi 7.0 and above.
  • If your storage system requires other algorithms (such as SHA-1 or SHA-256), reconfigure it to support MD5 or use a different authentication mechanism if available.
  • For environments with security policies that restrict MD5 usage, consider isolating iSCSI traffic within a secured network segment (dedicated VLANs, IPsec, or physical isolation) to mitigate risk.

Additional Information

ESXi 6.7 and earlier versions also used MD5 for CHAP, but some third-party documentation referenced multiple possible algorithms. With ESXi 7.0, MD5 remains the **only supported option**.


Both **unidirectional CHAP** (host authenticates to target) and **bidirectional CHAP** (mutual authentication) continue to function, but the digest algorithm remains MD5.

Confirm CHAP authentication configuration on your ESXi host with the following methods:

#esxcli iscsi adapter auth chap get -A vmhba##

or 

#vsish -e get /vmkModules/iscsi_vmk/adapter/vmhba##/session/*/connection/*/info

Powered by Wolken Software