Setup Guide
Table Of Contents
- 1 Introduction
- 2 iDRAC9 Configuration for RSA SecurID
- 3 RSA SecurID 2FA with Local Users
- 4 RSA SecurID 2FA with Active Directory Users
- 5 RSA SecurID 2FA with Generic LDAP Directory Users
- 6 Troubleshooting RSA SecurID Issues
- 6.1 Misconfiguration or iDRAC Configuration Gets Reset
- 6.2 Datacenter License Expires or Gets Downgraded or Deleted
- 6.3 Authentication Failures without being Prompted for RSA Passcode
- 6.4 Authentication failures with Correct RSA Passcode
- 6.5 Authentication Failures with Correct RSA Passcode due to Timeout
- 6.6 RSA Configuration gets lost after importing Server Configuration Profile
- Appendix A: Configure iDRAC Using RACADM
- Appendix B: References
Troubleshooting RSA SecurID Issues
ID 450
An administrator can set up a special privileged user without RSA enabled with a strong password. Should a
downgrade event happen, you can log in with the privileged user to disable RSA SecurID 2FA on all users.
In extreme case, if no user can log in to system due to the license issue, perform iDRAC “Reset to Defaults”
as a last resort.
6.3 Authentication Failures without being Prompted for RSA Passcode
In this scenario, the Lifecycle Controller log may not give you clues as to what might have gone wrong. This
behavior is expected since iDRAC does not expose any security information to the potential hackers. Check
to see if RSA 2FA global settings are properly configured. To do so, see the
Test Connection to RSA AM
Server section.
6.4 Authentication failures with Correct RSA Passcode
RSA AM lockout policy could be the source for this failure. Check with RSA AM server administrator to see if
the user (either local or AD/LDAP) is locked out. Lockout can be due to the lockout policies defined on the
RSA AM server.
Other issues, such as RSA AM lost connection to AD/LDAP server. While not covered in this paper, you may
consider this issue while troubleshooting authentication failures when you believe you all correct credentials
were provided.
If passcodes are correct and authentication still fails, the passcode that the RSA SecurID app generates may
not match the one by the RSA AM. In this case, the user can resynchronize the token with RSA AM by RSA
SecurID Self-Service Console. Otherwise, contact the RSA AM administrator for details on how RSA AM is
configured. For details, see the RSA documentation Resynchronize a Token
.
6.5 Authentication Failures with Correct RSA Passcode due to Timeout
If somehow user types in a correct RSA passcode (either “current” or “next”) after the expected time, then
iDRAC login session may time out.
The best practice is to input a passcode as soon as possible; especially for the “Next Passcode.” Do not wait
for RSA SecurID Token app to generate a new code. Instead, ensure that you get and use the next code
immediately from the app, as shown in section Get RSA SecurID Token App Ready
.
6.6 RSA Configuration gets lost after importing Server Configuration
Profile
Due to the security reason, currently Server Configuration Profile (SCP) only includes RSA SecurID
authentication server URL. In another word, if you save iDRAC configuration via SCP and import it back later,
you will basically have to configure RSA SecurID again.