You use the ALTUSER or ALU command to activate
users for SafeNet RADIUS.
Before you begin
Before you can activate users for IBM® MFA, you
must first create accounts for the users in the SafeNet RADIUS server and assign tokens.When you
activate a user for IBM MFA, that user is no longer able to use the z/OS® password to log in. Therefore, the user must first have a valid token and credentials for the SafeNet RADIUS server.
To defer activation to a later time, omit the
ACTIVE keyword from the ALTUSER command, or supply the NOACTIVE keyword to deactivate the
authenticator for the user ID.
Procedure
-
Enter the following command to activate a user for SafeNet RADIUS:
ALU [Login ID] MFA(FACTOR(AZFSFNP1)
ACTIVE TAGS(RADUSERID:[User ID]))
Where:
- [Login ID] is the z/OS user name.
-
ACTIVE activates the AZFRADP1 authenticator for the user ID.
- User ID is the associated SafeNet RADIUS user ID.
-
If needed, enter the following command to defer activating a user for SafeNet RADIUS:
ALU [Login ID] MFA(FACTOR(AZFSFNP1)
TAGS(RADUSERID:[User ID]))
Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the
AZFSFNP1 authenticator for the user
ID:
ALU <USERID> MFA(FACTOR(AZFSFNP1) ACTIVE)
-
Enter the following command to display IBM MFA
information for a user profile:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
FACTOR = AZFSFNP1
STATUS = ACTIVE
FACTOR TAGS =
RADUSERID:user
-
If needed, enter the following command to deactivate a user for SafeNet RADIUS:
ALU [Login ID] MFA(FACTOR(AZFSFNP1)
NOACTIVE TAGS(RADUSERID:[User ID]))