Activate and deactivate users for RSA SecurID RADIUS

You use the ALTUSER or ALU command to activate users for RSA SecurID RADIUS.

Before you begin

Before you can activate users for RSA SecurID RADIUS, you must first create accounts for the users in RSA Authentication Manager and assign RSA tokens.

When you activate a user for IBM® MFA, that user is no longer able to use the z/OS® password to log in. Therefore, the user must first have a valid token and credentials for RSA Authentication Manager.

To defer activation to a later time, omit the ACTIVE keyword from the ALTUSER command, or supply the NOACTIVE keyword to deactivate the authenticator for the user ID.

Procedure

  1. Enter the following command to activate a user for RSA SecurID RADIUS: 
    ALU [Login ID] MFA(FACTOR(AZFSIDR1)
    ACTIVE TAGS(SIDUSERID:[RSA User ID]))
    Where:
    • [Login ID] is the z/OS user name.
    • ACTIVE activates the AZFSIDR1 authenticator for the user ID.
    • RSA User ID is the associated RSA user ID. The SIDUSERID tag identifies the RSA user ID to use when an authentication request for this user is sent to the RSA server by IBM MFA:
      • If the security manager user ID matches the RSA server user ID, you can either specify the RSA server user ID in the SIDUSERID tag, or omit it and the security manager user ID is used by default.
      • If the security manager user ID does not match the RSA server user ID, you must specify the RSA server user ID in the SIDUSERID tag.
  2. If needed, enter the following command to defer activating a user for RSA SecurID RADIUS: 
     ALU [Login ID] MFA(FACTOR(AZFSIDR1)
     TAGS(SIDUSERID:[RSA User ID]))
    Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the AZFSIDR1 authenticator for the user ID:
    ALU <USERID> MFA(FACTOR(AZFSIDR1) ACTIVE)
  3. Enter the following command to display IBM MFA information for a user profile: 
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:      
---------------------------------------      
  PASSWORD FALLBACK IS NOT ALLOWED           
  FACTOR = AZFSIDR1                          
    STATUS = ACTIVE                          
    FACTOR TAGS =                            
      SIDUSERID:user
  4. If needed, enter the following command to deactivate a user for RSA SecurID RADIUS: 
     ALU [Login ID] MFA(FACTOR(AZFSIDR1)
    NOACTIVE TAGS(SIDUSERID:[RSA User ID]))