Information
Challenge-Handshake Authentication Protocol (CHAP) requires both client and host to know the secret (password) to establish a connection. Each mutual authentication secret should be unique.
If all mutual authentication secrets are unique, compromise of one secret does not allow an attacker to authenticate to other hosts or clients using that same secret.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To change the values of CHAP secrets so they are unique, perform the following:
- From the vSphere Web Client, select the host.
- Click Configure then expand Storage
- Select Storage Adapters then select the iSCSI Adapter.
- Under Properties click on Edit next to Authentication
- Next to Authentication Method specify the authentication method from the dropdown.
- None
- Use unidirectional CHAP if required by target
- Use unidirectional CHAP unless prohibited by target
- Use unidirectional CHAP
- Use bidirectional CHAP
- Specify the outgoing CHAP name.
- Make sure that the name you specify matches the name configured on the storage side.
- To set the CHAP name to the iSCSI adapter name, select "Use initiator name".
- To set the CHAP name to anything other than the iSCSI initiator name, deselect "Use initiator name" and type a name in the Name text box.
<xhtml:ol start="8"> - Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret as your storage side secret.
- If configuring with bidirectional CHAP, specify incoming CHAP credentials.
- Make sure your outgoing and incoming secrets do not match.
<xhtml:ol start="10"> - If configuring with bidirectional CHAP, specify incoming CHAP credentials.
- Make sure your outgoing and incoming secrets do not match.
<xhtml:ol start="11"> - Click OK
- Click the second to last symbol labeled Rescan Adapter