To enable a user for IBM® MFA for RSA SecurID
authentication you need the user's RSA user ID. Before you can activate users, you must first create
accounts for the users in RSA Authentication Manager and assign RSA tokens.
About this task
To enable users for IBM MFA RSA SecurID
authentication, complete the following steps:
-
In the IBM MFA GUI, click the User
Provisioning tab.
-
Click the plus sign (+) control.
-
Enter the ID for the user. The ID is the user name associated with the effective client user
ID. IBM MFA automatically saves the user ID in
lowercase.
-
Enter the Name for the user. This is a name of your choice.
-
Enter an MFA password of your choice, if applicable. The MFA password is a special password
that allows the user to log in to the IBM MFA server for
IBM MFA-specific actions. This password is unique to the
IBM MFA server.
Note: In this release of IBM MFA, the IBM MFA password is needed only for enrolling tokens for TOTP and Yubico OTP, and for password
authentication with the PAM authentication method. If the user is not using these authentication
methods, you can leave this password blank.
- Click Save.
-
The Policies table shows all of the policies assigned to the user. Click
+ in the Policies section.
The All Policies table shows all of the available policies.
-
Select one or more policies.
Important: For PAM client authentication, if you do not assign one or more authentication
methods, the user is treated as if password fallback is enabled, irrespective of the password
fallback setting for that user account. For information about password fallback, see
Setting password fallback.
-
Click Confirm.
The Authentication Methods table shows the configured authentication methods for the
policy.
-
Select the SecurID authentication method.
-
Click the Edit icon.
-
You are prompted for the user-specific authentication method settings. Specify the RSA user ID
for this user. If you do not specify an RSA user ID, the MFA ID is used by default.
-
Click Confirm.
-
Set Active to On for the authentication method.
-
Click Confirm.
-
The CTC Failure Count is the number of times a user consecutively fails
to provide a valid credential, based on the Max CTC Check Failures Before
Suspension setting in Configuring server options. If the
user exceeds this limit, the Suspended control it set. You must disable the
Suspended control before the user can log in.
-
Inform users to use the IBM MFA Out-of-Band web server login page that you
configured, such as
https://server:port/mfa/policy-name
where
port is the server authentication port you configured and
policy-name is the policy the user must use. You may want to have the user
bookmark this URL.
-
When the user visits the IBM MFA Out-of-Band web login page,
user-specific information about the methods required for the user to log in is
displayed.