Hello and welcome to this video where we'll showcase multi-factor authentication, which adds an additional layer of protection when logging in to the Dell Power Protect Data Manager Appliance. The DM5500 Power Protect Data Manager appliance is an integrated solution that offers industry-leading duplication, software-defined data protection, automated discovery, operational agility, self-service, and IT governance for physical, virtual, and cloud environments.
The DM5500 has been designed for ease of use and supports flexible and reliable upgrades. It also supports new modern workloads and a single license model based on back-end usable capacity from 12 terabytes to 96 terabytes in 12-terabyte increments. Security is a key aspect of any appliance, and using password authentication is one of the ways of securing our appliance, but a single level of security is not enough because cyber crimes have become increasingly common. It is important to have a second level of security, namely multi-factor authentication (MFA).
The DM5500 supports multi-factor authentication from Google Authenticator and Microsoft Authenticator applications to generate a time-based one-time password (TOTP) that provides an additional layer of security. Both Google Authenticator and Microsoft Authenticator applications are multi-factor authentication apps that help increase the security of your online accounts. These applications work by generating the TOTP, which you enter in addition to your regular login credentials. Make sure that you install Google Authenticator or Microsoft Authenticator on your mobile device and that it is ready for use.
To start, we log in to the DM5500 with admin credentials. After logging in successfully, select Administration > Access Control, then click the Multi-Factor Authentication tab. Expand One-Time Password Authenticator apps and enable the OTP status button. We can see that MFA is now enabled. We can click View Authentication Settings to display the details on the Users Groups tab. We find a few non-default entries. We'll use MUser1 and black.com/tme for our demo.
First, we add the user called MUser1 as a local user, and a group is added as an active directory group. MFA will be applied for both the local user and the users present in the active directory group. Let's log out and log in again. We then land on a page that displays a QR code that we can scan. Now go to your mobile device, open Google Authenticator, and choose the Scan QR Code option. When the scanner is enabled, scan the QR code that appears on the DM5500 login page. You will then see the one-time password in your Authenticator app. Enter the one-time password and click Activate MFA. You will now be able to log in to the appliance successfully.
We have already registered Active Directory in this PPDM server and added the AD group to the PPDM Users/Group section. You can see here that the group TME belongs to an Active Directory called black.com and that the user JT is part of the group called TME. Multi-factor authentication will apply to all users that are part of group TME.
We will use the user JT to log in to the PPDM UI. Log out of the PPDM UI and log in again as an AD user. You can see that the MFA password generated in the Authenticator application needs to be entered. We select Administration > Access Control and select the Multi-Factor Authentication tab again to disable MFA. Toggle the OTP status button and disable MFA. Now log in as the user from the same AD group after disabling MFA, and as you can see in the login page, the user is able to log in without MFA authentication.
As you know, the admin user and users with the Security Officer role are bypassed from MFA by default. All other users or users that are part of a group will need to log in using MFA authentication. However, you can use the bypass option so that a specific user can bypass MFA authentications. To do this, go to Administration > Access Control, and then select Users Groups. Select the local user and edit their user properties, select the Bypass checkbox, and finish the configuration. This local user is now bypassed from multi-factor authentication. Log in as this local user and verify that MFA is not enabled for them.
In a few rare cases, an administrator might have to re-register a user to activate MFA for them again, such as if a user intentionally or unintentionally uninstalls a third-party app such as Google Authenticator or Microsoft Authenticator. If the user loses their phone and therefore their access to the app, or if the phone or app is somehow unable to generate the one-time password, to re-register a user, log in as an administrator role user. On the Access Control page, click the Multi-Factor Authentication tab, expand One-Time Password (OTP) Authenticator Apps, then click the Re-Register Users button.
A pop-up will appear for the user type. You can select either local users or directory users. To re-register the user, select the Local User radio button, specify the user name, then click Re-Register. The green banner indicates that the re-registration is successful. Now, let's see how to select an AD user for re-registration. Click the Re-Register Users button again and this time select Directory Users. Enter the AD user name in the format user@domain and click Re-Register. The green banner again indicates that the re-registration is successful.
Log in again as the re-registered user and verify that the QR code to scan appears again on the login page. To sum up, by enabling multi-factor authentication, a user can benefit from an additional layer of security while logging in to the Power Protect Data Manager Appliance. Thanks for watching.
