ESX/ESXi supports one-way CHAP for both hardware and software iSCSI, and mutual CHAP for software iSCSI only.

Before configuring CHAP, check whether CHAP is enabled at the iSCSI storage system and check the CHAP authentication method the system supports. If CHAP is enabled, enable it for your initiators, making sure that the CHAP authentication credentials match the credentials on the iSCSI storage.

ESX/ESXi supports the following CHAP authentication methods:

One-way CHAP

In one-way, or unidirectional, CHAP authentication, the target authenticates the initiator, but the initiator does not authenticate the target.

Mutual CHAP (software iSCSI only)

In mutual, or bidirectional, CHAP authentication, an additional level of security enables the initiator to authenticate the target.

For software iSCSI only, you can set one-way CHAP and mutual CHAP for each initiator or at the target level. Hardware iSCSI supports CHAP only at the initiator level.

When you set the CHAP parameters, specify a security level for CHAP.

CHAP Security Level

CHAP Security Level



Do not use CHAP

The host does not use CHAP authentication. Select this option to disable authentication if it is currently enabled.

Software iSCSI

Hardware iSCSI

Do not use CHAP unless required by target

The host prefers a non-CHAP connection, but can use a CHAP connection if required by the target.

Software iSCSI

Use CHAP unless prohibited by target

The host prefers CHAP, but can use non-CHAP connections if the target does not support CHAP.

Software iSCSI

Hardware iSCSI


The host requires successful CHAP authentication. The connection fails if CHAP negotiation fails.

Software iSCSI