Whitepaper Using iDRAC9 RSA SecurID 2FA Abstract Learn how to improve security by configuring iDRAC9 to enable RSA SecurID two-factor authentication (2FA) for local users, and Active Directory and LDAP users.
Introduction Revisions Date Description September 2020 Initial release Acknowledgments Author: Kang Quan Support: Jason Dale, Doug Roberts, Alaric Silveira, Mark A Evans The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Introduction Contents 1 2 3 4 5 6 Introduction ...................................................................................................................................................................5 1.1 RSA SecurID 2FA license requirement ..............................................................................................................5 1.2 Test Environment .....................................................................................................................
Introduction Executive summary As enterprise technology continues to advance, security risks are also on the rise. RSA SecurID is a wellknown and broadly deployed two-factor authentication (2FA) technology that may be used for authenticating a user on a system. The iDRAC9 with the Datacenter license and firmware version 4.40.00.00 introduces support for RSA SecurID as an additional two-factor authentication method.
Introduction 1 Introduction Enabling iDRAC9 to use RSA SecurID 2FA is relatively easy and straight-forward. This white paper provides detailed instructions on how to enable it for local users and AD/LDAP users. It also covers some common issues that you may run into, and how to quickly troubleshoot them. In iDRAC9, RSA 2FA enablement requires some global configuration, and per user configuration (only applies to iDRAC local users). This paper shows how to configure RSA SecurID 2FA from iDRAC UI.
iDRAC9 Configuration for RSA SecurID 2 iDRAC9 Configuration for RSA SecurID iDRAC9 can only be configured to authenticate with a single RSA AM server at a time. These global settings on RSA AM server apply to all iDRAC local users, AD and LDAP users. We will go through each in details in the following sections: 2.
iDRAC9 Configuration for RSA SecurID RSA SecurID Configuration Page Warning: For RSA AM adminsitrators, iDRAC does NOT support RSA Access ID. RSA Access ID can be used for additional security to ensure the integrity of RSA authentication message exchange. However, make sure this feature is disabled. Note that “disabled” is the default setting of the RSA AM server. 2.
iDRAC9 Configuration for RSA SecurID • • • Upload the RSA AM certificate. Save the above. Ensure that iDRAC can resolve the hostname of the RSA AM server. Once complete, click “Test Network Connection” to see if iDRAC can communicate with RSA AM server. If the test fails (See Figure 2.), ensure that all the settings are correct, and the firewall policies have been appropriately updated. See Troubleshooting section for more details.
iDRAC9 Configuration for RSA SecurID 2.4 Get RSA SecurID Token App Ready RSA SecurID Token app is required to be installed on your Windows personal computer or on smart phone. See the RSA SecurID documentations for details. When you try to log in to iDRAC, You will be prompted to enter the passcode, use the RSA SecurID application to retrieve the passcode (Token) as shown in the figure below. Get passcode from RSA SecurID App.
RSA SecurID 2FA with Local Users 3 RSA SecurID 2FA with Local Users 3.1 Enable RSA SecurID 2FA on an iDRAC Local User iDRAC administrator can enable RSA SecurID 2FA on some local users. To do so, follow iDRAC UI navigation menu iDRAC Settings -> Users -> Local Users. Select an existing user and click Edit, the Edit User page will be displayed. At the bottom of the user configuration page, find RSA SecurID section. See image below. Now you can enable or disable RSA SecurID.
RSA SecurID 2FA with Local Users Before logging into iDRAC, ensure that the same user exists in RSA AM internal database and a valid token is assigned to the user. The token is then distributed to the expected recipient. As previously mentioned, iDRAC only supports RSA 2FA on iDRAC GUI login and SSH login. 3.2 Log in to iDRAC from UI with an iDRAC Local User First log in with user credentials configured in iDRAC.
RSA SecurID 2FA with Local Users iDRAC challenges the user for a passcode. For added security, you may configure the RSA AM server to ask for a “Next Token” after multiple incorrect passcode attempts. You must get the ‘next code’ from RSA SecurID app as the figure below shows. iDRAC challenges the user with next token.
RSA SecurID 2FA with Local Users 3.3 Log in to iDRAC from SSH with an iDRAC Local User LikeLikethe UI, three attempts are given to enter a correct RSA passcode. Otherwise, you are challenged from the beginning with local user authentication. Logging into iDRAC from SSH with a local user. If too many wrong passcodes are attempted, “Next token” may be required.
RSA SecurID 2FA with Active Directory Users 4 RSA SecurID 2FA with Active Directory Users 4.1 Enable RSA SecurID 2FA on Active Directory Users Note: RSA SecurID 2FA can only be applied to all or none of the Active Directory (AD) users. To enable or disable RSA SecurID 2FA on AD users, go to iDRAC UI. Then, follow the navigation menu from iDRAC Settings -> Users -> Directory Services. From there, select Microsoft Active Directory and click Edit button.
RSA SecurID 2FA with Active Directory Users Logging into iDRAC UI with an AD user Next, the user is challenged with RSA SecurID, you must get and enter the passcode displayed in the RSA SecurID app for this specific AD user. You have three chances to enter the correct passcode. The same lockout policy applies to AD user as well. For better security, the RSA AM server can be configured to challenge a user with the “next token” after the configurable failed attempts occur.
RSA SecurID 2FA with Active Directory Users RSA next passcode required for the AD user 4.3 Log in to iDRAC from SSH with an AD User To login into SSH, you must use the User Principal Name (UPN) to log in; for example, kquan@fwad.local. Also, you have three attempts to enter a correct RSA passcode to be authenticated.
RSA SecurID 2FA with Generic LDAP Directory Users 5 RSA SecurID 2FA with Generic LDAP Directory Users 5.1 Enable RSA SecurID 2FA on Generic LDAP Directory Users Similarly, RSA SecurID 2FA is applied to all or none of LDAP users. To enable or disable RSA SecurID 2FA on LDAP users, go to iDRAC UI, follow the navigation menu from iDRAC Settings -> Users -> Directory Services. From there, select Generic LDAP Directory Service and click Edit button.
RSA SecurID 2FA with Generic LDAP Directory Users Logging in iDRAC from UI with LDAP user After entering the password, the user is challenged with RSA SecurID, you must enter the passcode displayed in the RSA SecurID app for this specific LDAP user. You have three chances to enter the correct passcode. The same lockout policy applies to LDAP user as well. For better security, an RSA AM server can be configured to challenge a user with the “next token” after the configurable failed attempts occur.
RSA SecurID 2FA with Generic LDAP Directory Users RSA next passcode required for the LDAP user 5.3 Log in to iDRAC from SSH with an LDAP User Similarly, you can log in to iDRAC using an LDAP user “adm_fwoldap” on which RSA SecurID 2FA is enabled.
RSA SecurID 2FA with Generic LDAP Directory Users Next passcode required for the LDAP user ID 450
Troubleshooting RSA SecurID Issues 6 Troubleshooting RSA SecurID Issues When a user with RSA SecurID enabled fails to authenticate, the problem may be in iDRAC or the RSA AM server. 6.1 Misconfiguration or iDRAC Configuration Gets Reset First, check the Lifecycle Logs in the iDRAC to see if there are Lifecycle Logs to indicate any problems with the RSA 2FA configuration. There can be issues even if all the global settings are set correctly or the RSA AM certificate chain has uploaded.
Troubleshooting RSA SecurID Issues An administrator can set up a special privileged user without RSA enabled with a strong password. Should a downgrade event happen, you can log in with the privileged user to disable RSA SecurID 2FA on all users. In extreme case, if no user can log in to system due to the license issue, perform iDRAC “Reset to Defaults” as a last resort. 6.3 6.
Troubleshooting RSA SecurID Issues Appendix A: Configure iDRAC Using RACADM A.1 Upload RSA AM Certificate Chain Run the following RACADM command to upload RSA AM certificate chain. Assuming rsa_am.cert contains the certificate of RSA AM server along with its signing certificates in a single file. C:> racadm -r -u -p sslcertupload -t 9 -f rsa_am.cert Use RACADM to upload RSA cert chain. A.
Troubleshooting RSA SecurID Issues racadm>> set iDRAC.Users.3.RSASecurID2FA 1 Use RACADM to enable RSA SecurID 2FA on a local user. A.4 Enable RSA SecurID on AD Users Run the following RACADM command to enable RSA SecurID on all AD users. racadm>> set idrac.ActiveDirectory.RSASecurID2FAAD 1 Use RACADM to enable RSA SecurID 2FA on all AD users. A.5 Enable RSA SecurID on LDAP Users Run the following RACADM command to enable RSA SecurID on all LDAP users. racadm>> set idrac.ldap.
Appendix B: References Appendix B: References ID 450 iDRAC Users Guide and RACADM Users Guide www.dell.com/idracmanuals RSA Authentication Manager (AM) 8.4 Help https://community.rsa.com/docs/DOC-100436 Integrating iDRAC With Microsoft Active Directory https://downloads.dell.com/solutions/general-solutionresources/White%20Papers/Integrate_iDRAC_with_Active_Directory.