Re: 2FA/MFA MAV securities and AIQ/WFA accounts

StockageUGA · ‎2023-01-31

Hello,

Just a little question, in case I missed something...

We are securing our admin accesses to Netapp Clusters using 2FA (password + sshKey) and thinking about deploying MAV (Multi Admin Validation) !

But how to handle admin accounts used by ActiveIQ and WorflowAutomation ? AFAIK there is no way to restrict the IP address used by a specific login ?!

Regards,

GS.

Ontapforrum · ‎2023-01-31

Please check the following pdf.

Enabling SAML authentication for System Manager & Active IQ Unified Manager:
https://www.netapp.com/pdf.html?item=/media/17055-tr4647.pdf

https://docs.netapp.com/us-en/ontap/task_security_mfa_setup.html#enable-saml-authentication

StockageUGA · ‎2023-01-31

Hello,

Thanks, but the PDF is not completely answering my question.

eg: Netapp Workflow Automation needs privileged credentials on clusters to create volumes/vservers etc... It seems that It only supports Login/Password based credentials.

eg2: Netapp Active IQ Unified Manager needs admin credentials on clusters to interact with them.

So you have to keep an admin account on your cluster only protected by (strong) password !

In TR4647, there is a note about it page 53

After SAML authentication is configured for the http and ontapi applications, the password
authentication method does not need to be configured. They remain configured for administrator
accounts to enable external supportability tools to continue administrator access with single-factor
user ID/password authentication. If no such tools require user ID/password access, delete all
password authentication methods for all administrator accounts for http and ontapi
applications to provide the most secure administrative access environment.

Regards,

GS