Hello and welcome to this video where we’ll showcase multi-factor authentication, which adds an additional layer of protection when logging into the Dell Power Protect Data Manager Appliance. The DM 5500 Power Protect Data Manager appliance is an integrated solution that offers industry-leading deduplication, software-defined data protection, automated discovery, operational agility, self-service, and IT governance for physical, virtual, and cloud environments.
DM 5500 has been designed for ease of use and supports flexible and reliable upgrades. It also supports new modern workloads and a single license model based on back-end usable capacity, from 12 terabytes to 96 terabytes, in 12 terabyte increments. Security is a key aspect of any appliance, and using password authentication is one way of securing our appliances. However, a single level of security is not enough as cybercrimes become increasingly common. It is important to have a second level of security, namely multi-factor authentication (MFA).
In DM 5500, Google Authenticator’s MFA generates a time-based one-time password (TOTP) that provides an additional layer of security when logging in. Google Authenticator is a multi-factor authentication app that helps increase the security of your online accounts. It works by generating the TOTP, which you enter in addition to your regular login credentials.
Make sure that you install Google Authenticator on your mobile device and that it is ready for use. Log in to the DM 5500 with admin credentials. After logging in successfully, select Administration > Access Control, then the Multi-Factor Authentication tab. Expand One-Time Password Authenticator apps and toggle the OTP status button. A pop-up appears that provides some information about multi-factor authentication. As mentioned in the pop-up, MFA does not apply to bypass accounts such as the admin user or users with the security officer role.
When we close the pop-up, we can see that MFA is now enabled. Now go to the User Groups tab. Here, you can find two non-default entries: a local user and an Active Directory group. MFA will be applied for both the local user and users present in the Active Directory group.
Let’s log out and log in again as an AD user that is part of the Active Directory group added to the appliance. You will then land on a page that displays a QR code that you can scan. Now go to your mobile device, open Google Authenticator, and choose the Scan QR Code option. When the scanner is enabled, scan the QR code that appears on the DM 5500 login page. You will then see the one-time password in your Google Authenticator app. Enter the one-time password and click Activate MFA. You will now be able to log in to the appliance successfully.
Now, go to the Multi-Factor Authentication tab again to disable MFA. Toggle the OTP status button and disable MFA. Now log in as the same AD user after disabling MFA. As you can see on the login page, the user is able to log in without MFA authentication. As you know, the admin user and users with the security officer role are bypassed from MFA by default. All other users or users that are part of a group will need to log in using MFA authentication.
However, you can use the bypass option so that a specific user can bypass MFA authentication. To do this, go to Administration > Access Control and then select the User Groups tab. Select the local user and edit their user properties. Select the bypass checkbox and finish the configuration. This local user is now bypassed from multi-factor authentication. Log in as this local user and verify that MFA is not enabled for them.
In a few rare cases, an administrator might have to re-register users to activate MFA for them again. This may happen if a user intentionally or unintentionally uninstalls a third-party app such as Google Authenticator, loses their phone, or the phone or app is unable to generate the one-time password. DM 5500 provides different approaches to re-register local users and AD users. To re-register a local user, log in as an administrator role user and disable and enable the bypass multi-factor authentication checkbox. To re-register the user for MFA, select the user option and then re-enable MFA for the same user by clearing the bypass MFA checkbox. Log in again as the re-registered user and verify that the QR code to scan appears again on the login page.
Note that you cannot use the DM 5500 UI to re-register AD users. To re-register an AD user, contact support. To sum up, by enabling multi-factor authentication, a user can benefit from an additional layer of security while logging in to the Power Protect Data Manager Appliance.
Thanks for watching.
