Users Guide
● The 2FA code expires after 10 minutes or is invalidated if it is already consumed before expiry.
● If a user attempts to login from another location with a different IP-Address while a pending 2FA challenge for the
original IP-Address is still outstanding, the same token will be sent for login attempt from the new IP address.
● The feature is supported with iDRAC Enterprise license.
When 2FA is enabled, following actions are not allowed:
● Login to iDRAC through any UI which uses CLI with default user credentials.
● Login to iDRAC through OMM app via Quick Sync-2
● Add a member iDRAC in Group Manager.
NOTE: Racadm, Redfish, WSMAN, IPMI LAN, Serial, CLI from a source IP works only after successful login from supported
interfaces like iDRAC GUI and SSH.
RSA SecurID 2FA
iDRAC can be configured to authenticate with a single RSA AM server at a time. The global settings on RSA AM server apply to
all iDRAC local users, AD, and LDAP users.
NOTE: RSA SecurID 2FA teature is available only on Datacenter license.
Following are the pre-requisites before you configure iDRAC to enable RSA SecurID:
● Configure Microsoft Active Directory server.
● If you try to enable RSA SecurID on all AD users, add the AD server to the RSA AM server as an Identity Source.
● Ensure you have a generic LDAP server.
● For all LDAP users, the Identity Source to the LDAP server must be added in RSA AM server.
To enable RSA SecurID on iDRAC, the following attributes from the RSA AM server are required:
1. RSA Authentication API URL — The URL syntax is: https://<rsa-am-server-hostname>:<port>/mfa/v1_1,
and by default the port is 5555.
2. RSA Client-ID — By default, the RSA client ID is the same as the RSA AM server hostname. Find the RSA client ID at RSA
AM server's authentication agent configuration page.
3. RSA Access Key — The Access Key can be retreived on RSA AM by navigating to Setup > System Settings > RSA
SecurID > Authetication APIsection, which is usually displayed as
l98cv5x195fdi86u43jw0q069byt0x37umlfwxc2gnp4s0xk11ve2lffum4s8302. To configure the settings through
iDRAC GUI:
● Go to iDRAC Settings > Users.
● From Local Users section, select an existing local user and click Edit.
● Scroll down to the bottom of the Configuration page.
● In RSA SecurID section, Click the link RSA SecurID Configuration to view or edit these settings.
You can also configure the settings as follows:
● Go to iDRAC Settings > Users.
● From Directory Services section, select Microsoft Active Service or Generic LDAP Directory Service, and click
Edit.
● In RSA SecurID section, Click the link RSA SecurID Configuration to view or edit these settings.
4. RSA AM server certificate (chain)
You can login to iDRAC using RSA SecurID token via iDRAC GUI and SSH.
RSA SecurID Token App
You need to install RSA SecurID Token app on you system or on smart phone. When you try to log in to iDRAC, you are asked to
input the passcode shown in the app.
If a wrong passcode is entered, the RSA AM server challenges the user to provide the "Next Token." This may happen even
though the user may have entered the correct passcode. This entry proves that the user owns the right Token that generates
the right passcode.
42
Logging in to iDRAC