diff --git a/usr.sbin/ctld/ctl.conf.5 b/usr.sbin/ctld/ctl.conf.5
index e01f37d417aa..d44caa808036 100644
--- a/usr.sbin/ctld/ctl.conf.5
+++ b/usr.sbin/ctld/ctl.conf.5
@@ -131,9 +131,11 @@ The following statements are available at the portal-group level:
 .It Ic discovery-auth-group Aq Ar name
 Assigns previously defined authentication group to that portal group,
 to be used for target discovery.
-By default, the discovery will be denied.
-A special auth-group, "no-authentication", may be used to allow for discovery
-without authentication.
+By default, portal groups that do not specify their own auth settings,
+using clauses such as "chap" or "initiator-name", are assigned
+predefined auth-group "default", which denies discovery.
+Another predefined auth-group, "no-authentication", may be used
+to permit discovery without authentication.
 .It Ic listen Aq Ar address
 Specifies IPv4 or IPv6 address and port to listen on for incoming connections.
 .It Ic listen-iser Aq Ar address
diff --git a/usr.sbin/ctld/ctld.c b/usr.sbin/ctld/ctld.c
index 0f20ef308a50..a4574820b8d8 100644
--- a/usr.sbin/ctld/ctld.c
+++ b/usr.sbin/ctld/ctld.c
@@ -1132,7 +1132,7 @@ conf_verify(struct conf *conf)
 		assert(pg->pg_name != NULL);
 		if (pg->pg_discovery_auth_group == NULL) {
 			pg->pg_discovery_auth_group =
-			    auth_group_find(conf, "no-access");
+			    auth_group_find(conf, "default");
 			assert(pg->pg_discovery_auth_group != NULL);
 		}
 
@@ -1159,6 +1159,7 @@ conf_verify(struct conf *conf)
 				break;
 		}
 		if (targ == NULL && ag->ag_name != NULL &&
+		    strcmp(ag->ag_name, "default") != 0 &&
 		    strcmp(ag->ag_name, "no-authentication") != 0 &&
 		    strcmp(ag->ag_name, "no-access") != 0) {
 			log_warnx("auth-group \"%s\" not assigned "