ONTAP 9 Manuals ( CA08871-402 )

Enable multifactor authentication

Multifactor authentication (MFA) allows you to enhance security by requiring users to provide two authentication methods to log in to an admin or data SVM.

About this task
  • You must be a cluster administrator to perform this task.

  • If you are unsure of the access control role that you want to assign to the login account, you can use the security login modify command to add the role later.

  • If you are using a public key for authentication, you must associate the public key with the account before the account can access the SVM.

    You can perform this task before or after you enable account access.

  • Beginning with ONTAP 9.12.1, you can use Yubikey hardware authentication devices for SSH client MFA using the FIDO2 (Fast IDentity Online) or Personal Identity Verification (PIV) authentication standards.

Enable MFA with SSH public key and user password

A cluster administrator can set up local user accounts to log in with MFA using an SSH public key and a user password.

  1. Enable MFA on local user account with SSH public key and user password:

    security login create -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method <password|publickey> -role admin -second-authentication-method <password|publickey>

    The following command requires the SVM administrator account admin2 with the predefined admin role to log in to the SVMengData1 with both an SSH public key and a user password:

    cluster-1::> security login create -vserver engData1 -user-or-group-name admin2 -application ssh -authentication-method publickey -role admin -second-authentication-method password
    
    Please enter a password for user 'admin2':
    Please enter it again:
    Warning: To use public-key authentication, you must create a public key for user "admin2".

Enable MFA with TOTP

Beginning with ONTAP 9.13.1, you can enhance security by requiring local users to log in to an admin or data SVM with both an SSH public key or user password and a time-based one-time password (TOTP). After the account is enabled for MFA with TOTP, the local user must log in to complete the configuration.

TOTP is a computer algorithm that uses the current time to generate a one-time password. If TOTP is used, it is always the second form of authentication after the SSH public key or the user password.

Before you begin

You must be a storage administrator to perform these tasks.

Steps

You can set up MFA to with a user password or an SSH public key as the first authentication method and TOTP as the second authentication method.

Enable MFA with user password and TOTP
  1. Enable a user account for multifactor authentication with a user password and TOTP.

    For new user accounts

    security login create -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method password -second-authentication-method totp -role <role> -comment <comment>

    For existing user accounts

    security login modify -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method password -second-authentication-method totp -role <role> -comment <comment>
  2. Verify that MFA with TOTP is enabled:

    security login show
Enable MFA with SSH public key and TOTP
  1. Enable a user account for multifactor authentication with an SSH public key and TOTP.

    For new user accounts

    security login create -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method publickey -second-authentication-method totp -role <role> -comment <comment>

    For existing user accounts

    security login modify -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method publickey -second-authentication-method totp -role <role> -comment <comment>
  2. Verify that MFA with TOTP is enabled:

    security login show
After you finish
Top of Page