diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index fd3381827c..c2cf75f5ff 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1768,12 +1768,12 @@
         holds the actual password or other credentials (the domain XML
         intentionally does not expose the password, only the reference
         to the object that does manage the password).  For now, the
-        only known secret <code>type</code> is "ceph", for Ceph RBD
-        network sources, and requires either an
-        attribute <code>uuid</code> with the UUID of the Ceph secret
-        object, or an attribute <code>usage</code> with the name
-        associated with the Ceph secret
-        object.  <span class="since">libvirt 0.9.7</span>
+        known secret <code>type</code>s are "ceph", for Ceph RBD
+        network sources, and "iscsi", for CHAP authentication of iSCSI
+        targets.  Both require either a <code>uuid</code> attribute
+        with the UUID of the secret object, or a <code>usage</code>
+        attribute matching the key that was specified in the
+        secret object.  <span class="since">libvirt 0.9.7</span>
       </dd>
       <dt><code>geometry</code></dt>
       <dd>The optional <code>geometry</code> element provides the
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1b49b5aee2..32a69153ad 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3642,6 +3642,7 @@
       <attribute name='type'>
         <choice>
           <value>ceph</value>
+          <value>iscsi</value>
         </choice>
       </attribute>
       <choice>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 8f76e8eacd..159a23dc64 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3992,6 +3992,8 @@ virDomainDiskDefParseXML(virCapsPtr caps,
     char *wwn = NULL;
     char *vendor = NULL;
     char *product = NULL;
+    int expected_secret_usage = -1;
+    int auth_secret_usage = -1;
 
     if (VIR_ALLOC(def) < 0) {
         virReportOOMError();
@@ -4029,7 +4031,6 @@ virDomainDiskDefParseXML(virCapsPtr caps,
         if (cur->type == XML_ELEMENT_NODE) {
             if (!source && !hosts &&
                 xmlStrEqual(cur->name, BAD_CAST "source")) {
-
                 sourceNode = cur;
 
                 switch (def->type) {
@@ -4057,6 +4058,11 @@ virDomainDiskDefParseXML(virCapsPtr caps,
                                        protocol);
                         goto error;
                     }
+                    if (def->protocol == VIR_DOMAIN_DISK_PROTOCOL_ISCSI) {
+                        expected_secret_usage = VIR_SECRET_USAGE_TYPE_ISCSI;
+                    } else if (def->protocol == VIR_DOMAIN_DISK_PROTOCOL_RBD) {
+                        expected_secret_usage = VIR_SECRET_USAGE_TYPE_CEPH;
+                    }
                     if (!(source = virXMLPropString(cur, "name")) &&
                         def->protocol != VIR_DOMAIN_DISK_PROTOCOL_NBD) {
                         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -4242,8 +4248,9 @@ virDomainDiskDefParseXML(virCapsPtr caps,
                                            _("missing type for secret"));
                             goto error;
                         }
-                        if (virSecretUsageTypeTypeFromString(usageType) !=
-                            VIR_SECRET_USAGE_TYPE_CEPH) {
+                        auth_secret_usage =
+                            virSecretUsageTypeTypeFromString(usageType);
+                        if (auth_secret_usage < 0) {
                             virReportError(VIR_ERR_XML_ERROR,
                                            _("invalid secret type %s"),
                                            usageType);
@@ -4393,6 +4400,13 @@ virDomainDiskDefParseXML(virCapsPtr caps,
         cur = cur->next;
     }
 
+    if (auth_secret_usage != -1 && auth_secret_usage != expected_secret_usage) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("invalid secret type '%s'"),
+                       virSecretUsageTypeTypeToString(auth_secret_usage));
+        goto error;
+    }
+
     device = virXMLPropString(node, "device");
     if (device) {
         if ((def->device = virDomainDiskDeviceTypeFromString(device)) < 0) {
@@ -12787,15 +12801,18 @@ virDomainDiskDefFormat(virBufferPtr buf,
     if (def->auth.username) {
         virBufferEscapeString(buf, "      <auth username='%s'>\n",
                               def->auth.username);
+        if (def->protocol == VIR_DOMAIN_DISK_PROTOCOL_ISCSI) {
+            virBufferAsprintf(buf, "        <secret type='iscsi'");
+        } else if (def->protocol == VIR_DOMAIN_DISK_PROTOCOL_RBD) {
+            virBufferAsprintf(buf, "        <secret type='ceph'");
+        }
+
         if (def->auth.secretType == VIR_DOMAIN_DISK_SECRET_TYPE_UUID) {
             virUUIDFormat(def->auth.secret.uuid, uuidstr);
-            virBufferAsprintf(buf,
-                              "        <secret type='ceph' uuid='%s'/>\n",
-                              uuidstr);
+            virBufferAsprintf(buf, " uuid='%s'/>\n", uuidstr);
         }
         if (def->auth.secretType == VIR_DOMAIN_DISK_SECRET_TYPE_USAGE) {
-            virBufferEscapeString(buf,
-                                  "        <secret type='ceph' usage='%s'/>\n",
+            virBufferEscapeString(buf, " usage='%s'/>\n",
                                   def->auth.secret.usage);
         }
         virBufferAddLit(buf, "      </auth>\n");
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth.xml
new file mode 100644
index 0000000000..acaa5031e9
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth.xml
@@ -0,0 +1,31 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <auth username='myname'>
+        <secret type='iscsi' usage='mycluster_myname'/>
+      </auth>
+      <source protocol='iscsi' name='iqn.1992-01.com.example'>
+        <host name='example.org'/>
+      </source>
+      <target dev='vda' bus='virtio'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 41613ea95c..899414df5f 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -175,6 +175,7 @@ mymain(void)
     DO_TEST("disk-drive-network-nbd-ipv6-export");
     DO_TEST("disk-drive-network-nbd-unix");
     DO_TEST("disk-drive-network-iscsi");
+    DO_TEST("disk-drive-network-iscsi-auth");
     DO_TEST("disk-scsi-device");
     DO_TEST("disk-scsi-vscsi");
     DO_TEST("disk-scsi-virtio-scsi");