Enforcing multifactor authentication
You can enforce multifactor authentication for users in the Flex Appliance Console, so that they must configure it by the date that you select.
Note:
Remote AD and LDAP user groups are not supported when multifactor authentication is enforced. Once you enforce it, users in these groups can no longer sign in.
You cannot enforce multifactor authentication for the hostadmin user in the Flex Appliance Shell.
You also have an option to opt out of multifactor authorization.
Before you can enforce multifactor authentication, the following prerequisites must be met:
The appliance date and time must be set with NTP.
You and at least one other user must have the security administrator role. At least one of the users with the security administrator role must be a local user.
You must have multifactor authentication configured on your account.
Note that:
After a new installation of Flex Appliance, the enforcement dialog will appear at every login until the administrator explicitly enforces or opts out. If the dialog is closed without making a choice, the user remains on the home page, and the screen will reappear on subsequent logins. An opt-out without providing a reason is treated as no choice, so the dialog continues to appear at each login.
This is the default state of the appliance.
If the prerequisites are met and no selection is made, the option is selected by default and the enforce date popup is automatically shown. You can close the date selection screen and choose opt-out at this point.
If the prerequisites are not met, you cannot enforce multifactor authentication. But you can opt out of multifactor authentication. Once the prerequisites are met, you can choose to enforce multifactor authentication even if you opted out of it before.
If you have enforced multifactor authentication but the enforcement is not effective, you can change the effective date but you cannot change the configuration.
To enforce multifactor authentication
- Sign in to the Flex Appliance Console as a security administrator. Click the Settings icon in the top-right corner of the page and then click Multifactor authentication enforcement.
- On the Multifactor authentication enforcement page, click Enforce.
- Select a start date within the next 90 days.
Caution:
Once you enforce multifactor authentication, you cannot cancel the enforcement or extend the start date past 90 days.
- Click Enforce.
If you need to change the start date, return to the Multifactor authentication enforcement page and click .
To opt out of multifactor authentication
- Go to Settings > Multifactor authentication enforcement and select Opt-out of Multifactor Authentication (MFA).
- The Multifactor Authentication Liability Agreement popup appears. The popup will walk you through the liability agreement. Read and accept the liability agreement. Click Next.
- Select the reason for opting out of multifactor authentication. You can choose any of the listed options or choose Custom and specify the reason for opting out.
- Click Confirm.