What is RADIUS, and how does it relate to CHAP?
Either the target side or the initiator side can offload the work of managing CHAP names and CHAP secrets to a RADIUS server. In this case, each entities outgoing CHAP name and CHAP secret are still configured in the normal place (either iscsiadm modify initiator-node for the initiator or iscsitadm modify admin for the target. But the matching incoming CHAP names and CHAP secrets are now configured on the RADIUS server. (Actually, the target-side must still have the accurate CHAP names; only the CHAP secret is delegated to RADIUS). To make the communications with the RADIUS server secure, a shared “RADIUS secret” is configured between the radius client system (whether initiator or target) and the RADIUS server. The RADIUS server is then configured with a database of expected usernames and passwords that match the expected set of CHAP names and CHAP secrets. Note that for a RADIUS server to perform CHAP authentication, the CHAP secrets must be stored in the clear (non-encrypted) in the
