How to enable 2FA, reset a token and set a transition window on a multi-ORG SMA (4288386)

This article will provide steps on how to setup 2Factor Authentication for your SMA, How to reset the token for a user and how to set a transition window for a multi ORG SMA and other scenarios.

When enabling 2FA, you have a couple options as to who (all users or some users) will be asked for the verification code and where (admin portal or user portal), users will be given instructions to install the Google Authenticator to generate the needed codes to log in. Note that other Authenticator apps may work, but Google is the only one tested by the QA department.

2FA on an Org Enable appliance

To enable 2FA only for SELECTED System users

1. Log into the appliance system portal http://YourSMAFQDN.com/system
2. Go to Settings|Security Setting and scroll down to Two-Factor Authentication
3. Check the option “Enable Two-Factor Authentication for System Portal”
4. Click on “Save and restart Services” button
5. Go to Settings|Administrators
6. Locate a user and click to view the details
7. Check the option “Require Two-Factor Authentication”
8. Click the “Save” button

Note: Repeat steps 6 and 8 until all required users have the option enabled – if the option on the user is not selected, 2FA will not be requested when the user logs in to the system portal

To enable 2FA for ALL system users

1. Log into the appliance system portal http://YourSMAFQDN.com/system
2. Go to Settings|Security Setting and scroll down to Two-Factor Authentication
3. Check the option “Enable Two-Factor Authentication for System Portal”
4. Check the option “Required for all Users”

Note: 2FA will be required for ALL users trying to log in to the system portal

To enable 2FA for ALL admin portal users on ALL orgs

1. Log into the appliance system portal http://YourSMAFQDN.com/system
2. Go to Settings|Security Setting and scroll down to Two-Factor Authentication
3. Check the option “Enable Two-Factor Authentication for System Portal”
4. Check the option “Enable Two-Factor Authentication for Admin Portal”
5. From the drop down, select “Required for all users”
6. Click “Save and Restart Services”

Note: 2FA will be required for ALL users trying to log in to the admin portal on all orgs

To enable 2FA on ALL org admin portal, but org admin chooses if All or SELCTED users require it

1. Log into the appliance system portal http://YourSMAFQDN.com/system
2. Go to Settings|Security Setting and scroll down to Two-Factor Authentication
3. Check the option “Enable Two-Factor Authentication for System Portal”
4. Check the option “Enable Two-Factor Authentication for Admin Portal”
5. From the drop down, select “Defined by Organization”
6. Click “Save and Restart Services”

Once the option “Defined by Organization” is selected, you will need to set if all users or a selected group of users will require the 2fa to log in to the admin portal.

For Selected users that log in to the admin portal:

1. Log in to the admin portal of the desired org http://YourSMAFQDN.com/admin
2. Go to Settings|Users
3. Locate a user that logs in to the admin portal and click to view the details
4. Check the option “Require Two-Factor Authentication”
5. Click the “Save” button

Note: repeat steps 3 to 5 until all the desired users have been selected.

For all users that log in to the admin portal:

1. Log in to the admin portal of the desired org http://YourSMAFQDN.com/admin
2. Go to Settings|Two-Factor Authentication
3. Under “Two-Factor Authentication for Admin Portal”, Check the option “Required for all users”

Note: all admin portal users for this org will now be required to use 2fa to log in.

To enable 2FA on ALL org User Portal, but org admin chooses if All or SELCTED users require it

1. Log into the appliance system portal http://YourSMAFQDN.com/system
2. Go to Settings|Security Setting and scroll down to Two-Factor Authentication
3. Check the option “Enable Two-Factor Authentication for System Portal”
4. Check the option “Enable Two-Factor Authentication for Admin Portal”
5. Check the option “Enable Two-Factor Authentication for User Portal”
6. From the drop down, select “Defined by Organization”
7. Click “Save and Restart Services”

Once the option “Defined by Organization” is selected, you will need to set if all users or a selected group of users will require the 2fa to log in to the user portal.

For Selected users that log in to the user portal:

1. Log in to the admin portal of the desired org http://YourSMAFQDN.com/admin
2. Go to Settings|Users
3. Locate a user that logs in to the user portal and click to view the details
4. Check the option “Require Two-Factor Authentication”
5. Click the “Save” button

Note: repeat steps 3 to 5 until all the desired users have been selected.

For all users that log in to the user portal:

1. Log in to the admin portal of the desired org http://YourSMAFQDN.com/admin
2. Go to Settings|Two-Factor Authentication
3. Under “Two-Factor Authentication for User Portal”, Check the option “Required for all users”

Note: all user portal users for this org will now be required to use 2fa to log in.

Setting Transition Window

You can also set up a transition window, Users will have this amount of time to configure and verify two-factor authentication before they will no longer be able to login. User will be able to log in during this time and skip the configuration of the Google authenticator.

To set up the transition window:

1. Log into the appliance system portal http://YourSMAFQDN.com/system
2. Go to Settings|Security Setting and scroll down to Two-Factor Authentication
3. Under “Transition Window” select Week or Day from the drop down and input the amount of times the window will be open

Note: the transition window on a multi org appliance will be set globally on the system portal.

Reset Token

If a user did not set up his google authenticator to log in with 2FA or the user misplaced or lost his google authenticator, you can reset the token for this user so they can once again log back in and configure the google authenticator once more.

To reset the token to system portal users:

1. Log into the appliance system portal http://YourSMAFQDN.com/system
2. Go to Settings|Administrators
3. Locate the user the user in questions and click on it to view the details
4. Click on the “Reset Token” button – green confirmation banner will show up when done
5. Click the “Save” button

To reset the token to system admin or user portal users:

1. Log into the appliance admin portal http://YourSMAFQDN.com/admin
2. Go to Settings|Users
3. Locate the user the user in questions and click on it to view the details
4. Click on the “Reset Token” button – green confirmation banner will show up when done
5. Click the “Save” button

Note: once the token resets, the user is presented with the option to configure the google authenticator and will have the option to skip the configuration as stated on the Transition window timeframe.