Data Domain - Configuring and enabling multifactor authentication

Summary: Introduced in DDOS 7.5 and DDMC in 7.11, multifactor authentication adds an extra layer of security on the protection system. It requires the security officer and system administrator to enter an RSA SecurID passcode before certain destructive commands or configuration changes are allowed. The Multifactor Authentication panel allows the user to configure, enable, and disable multifactor authentication. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Configuring and enabling multifactor authentication for DDOS Starting 7.5 

Steps
1. Select Administration > Access > Authentication.
The Authentication view appears.
2. Expand the Multi-factor Authentication panel.
3. Click Configure.
The RSA SecurID Server Authentication dialog box appears.
4. Specify the RSA configuration values:

a. In the Server URL field, specify the RSA server URL.
b. In the Client Key field, specify the RSA client key.
c. In the Client ID field, specify the RSA client ID.
d. In the Connection Timeout field, optionally change the connection timeout value.
e. In the Read Timeout field, optionally change the Read timeout value.
f. In the Replica URLs field, optionally specify any replica URLs for the RSA server.

5. Click OK.
6. Click + Add to select and add the RSA server certificate to the protection system.
7. Click OK.
8. Click Enable.
9. Specify the security officer credentials:
a. In the Username field, specify the security officer username.
b. In the Password field, specify the security officer password.
10. Click Next.
11. In the Password field, specify the sysadmin password.
12. Click Finish.
13. If necessary, click Edit to change the RSA configuration values.


Disabling multifactor authentication

Steps
1. Select Administration > Access > Authentication. The Authentication view appears.
2. Expand the Multifactor Authentication panel.
3. Click Disable. The Disable RSA SecurID dialog box appears.
4. Specify the security officer credentials:

a. In the Username field, specify the security officer username.
b. In the Password field, specify the security officer password.
c. In the Passcode field, specify the security officer RSA passcode.

5. Click Next.
6. Specify the sysadmin credentials:

a. In the Password field, specify the sysadmin password.
b. In the Passcode field, specify the sysadmin RSA passcode.

7. Click Finish.

 

Configuring and enabling multifactor authentication for DDMC starting 7.11 

Prerequisites
Multifactor authentication adds an extra layer of security on the protection system by requiring users to enter an RSA SecurID passcode before logging into the system. The Multifactor Authentication panel allows the user to configure, enable, edit, and disable multifactor authentication. Only administrators can configure MFA on DDMC, and must always require the system administrator's password when doing so.

Before configuring MFA, add the protection system users to RSA Authentication Manager.
The following DD-specific requirements apply:
● For local, NIS, or AD users, add the user to the RSA internal database first.
● For LDAP users:

○ Add the external identify source to the RSA Operation Console.
○ Link the external identity source in the RSA Security Console.
○ A troubleshoot user is required before enabling MFA. The troubleshoot user can log in to the DDMC to edit or reset the system. This role does not have a passcode and performs no other capabilities.

● Create a unique user ID for each user n RSA Manager before configuring MFA:

○ For local users, create the user ID in the format <DDMC username>@<DDMC serial-number>.
NOTE: Run the system show serialno command to get the system serial number.
○ Do not append the system serial number to the user IDs for AD or NIS users.
○ Regarding permissions, Only Admin, and Admin- are able to XYA.


About this task
MFA for login is only supported for username and password log in from the user interface. It is not supported for SSH, certificate, or token-based login. RSA SecurID is the only supported MFA server.
NOTE: For successful authentication of local users, the corresponding user must be created in the RSA SecurID server with ID username@serial-number. The username is the name of the local user.
To ensure that backup applications can access the system without a passcode, MFA for login provides an option to disable MFA for the sysadmin user only.

Steps
1. Select the Settings gear icon >Multifactor Authentication.
The Authentication view appears.
2. Click Configure.
The RSA SecurID Server Authentication dialog box appears.
3. Specify the RSA configuration values:

RSA SecurID Server Configuration values

Item  Description
Server URL Specify the RSA server URL.
Port Specify Port number.
Client ID Specify RSA client ID Authentication Agent.
Client Key Specify the RSA client key. (This may also be called the access key in the RSA authentication API.)
Connection Timeout Optionally change the connection timeout value.
Read Timeout Optionally change the Read timeout value.
Replica URLs Optionally specify any replica URLs for the RSA server.

4. Click OK.
5. Click + Add to select and add the RSA server certificate to the protection system.
6. Click OK.
7. Click Enable.
8. Specify the security officer credentials:
a. In the Username field, specify the security officer username.
b. In the Password field, specify the security officer password.
9. Click Next.
10. In the Password field, specify the sysadmin password.
11. Click Finish.
12. Test the connection to the RSA SecurID server: Click Test Connection.
NOTE: Testing the connection is mandatory for MFA for login. If the connection is not tested, sysadmin and security officer users cannot log in to the system. Testing the connection for other users is recommended but not required.

DDMC User Permissions
Role Permission
Sysadmin (highest DDMC admin role) Can test passcodes for all users and all admin.
Admin Can test their own passcode and all users below.
Limited admin Can test their own passcode and all users.
user Can only test their own passcode.
a. Click Test Connection.
b. In the Username field, specify the username to test.
c. In the Passcode field, specify the sysadmin RSA passcode.
d. Click OK.
13. Dell Technologies recommends creating an MFA troubleshooting user for situations where the RSA passcode does not work. Access to the system is required to disable MFR or perform troubleshooting steps.
14. If necessary, click Edit to change the RSA configuration values.

NOTE: If the system detects that MFA is enabled on one of the systems, but is not enabled on DDMC, a warning banner appears. If MFA is enabled on one or more managed systems, MFA must also be enabled on DDMC. Otherwise, certain features related to DD configuration will be unavailable.

Disabling multifactor authentication
Steps
1. Select Administration > Access > Authentication.
The Authentication view appears.
2. Expand the Multifactor Authentication panel.
3. Click Disable.
The Disable RSA SecurID dialog box appears.
4. Specify the security officer credentials:
a. In the Username field, specify the security officer username.
b. In the Password field, specify the security officer password.
c. In the Passcode field, specify the security officer RSA passcode.
5. Click Next.
6. Specify the sysadmin credentials:
a. In the Password field, specify the sysadmin password.
b. In the Passcode field, specify the sysadmin RSA passcode.
7. Click Finish.
NOTE: A sysadmin password is required to disable MFA.

Additional Information



 

Affected Products

Data Domain
Article Properties
Article Number: 000204191
Article Type: How To
Last Modified: 26 Jul 2024
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.