KevinConway (Customer) asked a question.
Is there a way to roll back the setting for MFA in the RSA Authentication Manager Security Console from within the Appliance if we get locked out?
We are looking to implement MFA Authentication to the RSA Authentication Manager Security Console. We have tested this using this using
(RSA_Password/LDAP_Password)+SecurID_Native
This works for our Dev Environment but realized that once we enable on our LDAP based Identity Source Accounts, it prevents the Internal Database Super Admin from logging in. We would like to know if there is a way to reverse the setting from within the Appliance if our LDAP Based Super Admin accounts (there are 3) get locked out or the Software tokens expire, and we cannot get back into the Security Console.
Is there a command that can be run from within the appliance to revert the setting back to Singe Factor like the default
RSA_Password/LDAP_Password
Thanks,
Kevin C.
If you are setting the agent parameters from a GPO. You can change them on your Domain Controller. A reboot of the work station will read in the changes.
I’m not sure what you mean by agent settings or parameters with Group Policy. This is just the MFA to access the RSA Security Console from the RSA Security Console link. We are looking to have our Help Desk and Super Admins require MFA when accessing the RSA Security Console Link
[cid:image002.png@01DA89B4.38589920]
Go to System Settings --> Security Authentication Methods -->
[cid:image003.png@01DA89B4.38589920]
Can the Console Authentication statement Query have 2 values?
One for (RSA_Password/LDAP_Password)+SecurID_Native) Help Desk could use their LDAP Passwords
And a second OR statement for RSA Super admins
RSA_Password (only the super admins would be able to use this)
(RSA_Password/LDAP_Password)+SecurID_Native /
RSA_Password
Not sure where you can integrate the Security Console Access with Group Policy?
Kevin
When you said MFA. I assumed you were talking about the MFA Agent. If you lock yourself out of the Security Console, but have access to the CLI.
Go to /opt/rsa/am/utils. Run the command (example ./rsautil restore-admin -u test1 -p Password1!). This will create a temporary Super admin account with user ID test1 and a password of Password1!. This will allow you to gain access to the Security Console and fix whatever is wrong. it also changes the login option to default. Then you can delete the account. If you don't delete the account. It is good for 24 hours.
Don't run the command for an already existing account
Thank you so much! I knew about the restore-admin command. I did not know it set the login option to default. This makes me feel more confident with implementing the change in our environment.
Thanks,
Kevin C.