NAS542 iSCSI without Chap Authentication

hellspawny2k
hellspawny2k Posts: 2  Freshman Member
edited October 2017 in Personal Cloud Storage
Hello,
i have a Proxmox Server and i assigned a NFS Share to it. That works pretty fine.
Now i want to add a iscsi LUN to Proxmox, i created a Lun/Target inside my NAS but Zyxel NAS542 needs CHAP Authentication. My Proxmox doesn't support Chap Authentication. 
Is there a chance to disable CHAP Authentication ?

Best regards
Carsten

#NAS_September

All Replies

  • MMrr
    MMrr Posts: 31  Freshman Member
    I checked with Zyxel support before,
    the CHAP authentication can't be disable for security reason.
  • Fredzoul1
    Fredzoul1 Posts: 97  Ally Member
    edited October 2017
    No chance to disable it !
    On my NAS540 (the same as NAS542), CHAP is obligatory !
    The only choice you have if you want is to use mutual chap or not !
  • hellspawny2k
    hellspawny2k Posts: 2  Freshman Member
    thank you... my nightmares come true 
  • Mijzelf
    Mijzelf Posts: 2,598  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Have you looked how iSCSI is implemented? I'd expect the firmware backend to dynamically generate an iSCSI configuration file, and then fire up the daemon.
    If you could dive in the gap between creating the configuration file and the starting of the daemon, you could remove the 'chap' line.
  • zoefzoefdedwaas
    zoefzoefdedwaas Posts: 1  Freshman Member
    I know this is old, but answers are a good thing imo. I have a different model, but I suspect your model uses the same underlying logic for iscsi. You can do the following:

    1- create the LUN(s) and target via the webgui
    2- login to your zyxel via ssh (admin@nasaddress), BTW if your pass is longer than 14 chars, only use the first 14 chars, for some reason Zyxel allows you to choose a pass longer then 14 but only uses the first 14 chars.
    3- $ sudo -i (to get root)
    4- targetcli (this will open a shell where you can manage iscsi, use tab completion to get around in it)
    5- ls (to get an overview)
    6- cd /iscsi/iqn.2018-03.com.zyxel:targetname.randomstring/tpg1/ (again use tab completion, so cd /iscsi/iqn<tab><tab<tab<tab> etc. etc.)
    7- set attribute authentication=0
    8- set attribute generate_node_acls=1
    9- 
    set attribute demo_mode_write_protect=0
    10- I also deleted the ACLS by doing; cd acls, delete iqn<tab><tab>
    11- exit
    11- targetcli saveconfig (normally if you exit targetcli, it will autosave, so this is just in case)

    and that should be it, though a reboot of your nas wouldn't hurt now. note that the above config is incredibly insecure, since anybody that can connect to your nas on port 3260 (default iscsi) can read/write to your iscsci portal. so you need some additional network level protection (my own nas is on a separate network, directly connected to my proxmox nodes via a switch).
     
    I also had problems after I was able to add the iscsi storage (which I used as a volume for lvm), and I had to to do a vgchange -a y and a lvchange -a y /dev/MyLVMiSCSIStore/LUN-1 but that may be unrelated and caused by own futzing around.

    More info:
    http://atodorov.org/blog/2015/04/07/how-to-configure-iscsi-target-on-red-hat-enterprise-linux-7/
    http://linux-iscsi.org/wiki/Targetcli#Startup

Consumer Product Help Center