---
title: "2-Factor sub-tab"
slug: "2-factor-sub-tab"
updated: 2023-11-20T09:29:46Z
published: 2023-11-20T09:29:47Z
canonical: "docs.zpesystems.com/2-factor-sub-tab"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zpesystems.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 2-Factor sub-tab

This sets up 2-factor authentication (2FA) with RSA or OTP methods. 2FA requires Nodegrid to pair with an external service that provides the corresponding method. The service is consulted at each login for users with 2FA enabled.

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/Nodegrid_Authentication.PNG)

### Add 2-Factor Configuration

1. Go to *Security :: Authentication :: 2-Factor*.
2. Click **Add** (displays dialog): ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1684959028010.png)
3. Enter **Name** as an arbitrary identifier.
4. On **Method** drop-down, select one (OTP, RSA). Dialog changes.
5. On **Status** drop-down, select one (Enabled, Disabled). The authentication method will only apply when Enabled.
6. If configuring the *OTP*method (see additional steps in the "Configure OTP for a user" section below):
  1. OTP (One-Time Password) 2FA works by setting up an initial pairing between a Nodegrid user and an external service supporting the chosen *Type*(such as Google Authenticator, Microsoft Authenticator, Free OTP, etc.). After the initial pairing, upon each login, the user with OPT configured will be required to enter their password as well as a code provided by the external authenticator service.
  2. Select a **Type**depending on the external authenticator service selected:
    1. Time-based (TOTP): the provided code is time-sensitive, changing periodically
    2. Counter-based (HOTP): the provided code changes at every use, and only when used
  3. Choose whether or not to *Enforce OTP setup during login.*If selected, all users will be prompted and forced to setup OTP on their next login. If not selected, users can choose to setup OTP on the "Change Password" screen.
7. If configuring the *RSA*method (see additional steps in "Configure RSA SecurID (2-Factor)" section below):![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1684960586723.png)
  1. Enter **Rest URL.**
  2. Select **Enable Replicas** checkbox (expands dialog). Enter **Replicas**. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678894157692.png)
8. Enter **Client Key.**
9. Enter **Client ID.**
10. Select**Enable Cloud Authentication Service** checkbox (expands dialog).![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678894240925.png)
  1. Enter **Policy ID.**
  2. Enter **Tenant ID.**
11. Enter******Read Timeout [seconds]** (default: 120).
12. Enter **Connect Timeout [seconds]** (default: 20).
13. Enter **Max Retries** (default: 3).
14. Click **Save**.

### Configure OTP authentication for a user

1. Add and enable an OTP authentication provider (see "Add 2-Factor Configuration" above for the OTP method)
2. Go to *Security :: Authentication :: Servers*and set the 2-Factor Authentication option of the local server to the configured OTP provider (see *Authentication tab / Servers sub-tab, Edit Local Authentication*)**
3. Login as the user that will configure 2FA
4. Click on *user@nodegrid.localdomain* at the top banner, and select *Change Password:*![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1684962079422.png)
5. Click on *Generate OTP Token*
  1. Note: if clicking on *Reset OTP Token*, the current configuration will be erased and a new one will **not** be set. Useful for enforcing a new setup at next login.
6. Follow the instructions on the dialog (shown below)
  1. If OTP is enforced at login, this dialog will also be shown when the user tries to login
  2. If desired, note down the "Emergency scratch codes". These can be used instead of an OTP, but only once per code![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1684962307202.png)
7. Upon each new login, after correctly entering their password, the user will be prompted for an OTP verification code:  
  
![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/Untitled%20(4).png)The same applies to CLI:ShellShell 

```shell
$ ssh test@nodegrid
(test@nodegrid) Password:
(test@nodegrid) Verification code:
```

And API:PythonPython 

```python
url = f'https://{NG_IP}/api/v1/Session'
headers = {"Content-Type": "application/json", "accept": "application/json"}
data = f'{{ "username": "{USERNAME}", "password": "{PASSWD}", "verification_code": "824584" }}'

requests.post(url, data=data, headers=headers, verify=False)
```
8. (Optional) System administrators can reset any user's OTP tokens using the *Reset OTP Token* button in *Security :: Local Accounts*:  
![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1684962594703.png)

### Configure RSA SecurID (2-Factor)

#### Step 1 – Add SecurID (WebUI Procedure)

1. Go to *Security :: Authentication :: 2-Factor*.
2. Click **Add**.
3. On the *Add*dialog, enter **Name** (name to identify the SecurID system, i.e., SecurID)
4. Enter **Rest URL** (URL to access the SecurID Authentication API – format: https://5555/mfa/v1_1/authn).
5. Enter **Enable Replicas**(Rest Service URL to failover to the server (up to 15 replicas). One per line).
  1. Enter **Client Key** (available through RSA Security Console. Copy/paste the **Access Key** from the *SecurID Security Console*. The Access Key is also available at RSA SecurID Authentication API (under System Settings).
  2. Enter **Client ID** (retrieve the Server Node name from the *Authentication Manager Contact List*.).
6. Select the **Enable Cloud Authentication Service**checkbox:
  1. Enter **Policy ID**: Enter the name of the access policy you want to authenticate with as specified in the RSA Cloud Administration Console.
  2. Enter **Tenant ID:**Enter the RSA Cloud Authentication Service Company ID.
7. Click **Save**.

#### Step 2 – Set Certificate to access SecurID Server (WebUI Procedure)

1. If the RSA server is through ZPE Cloud Authentication, go to RSA SecurID Access and click the **Lock**icon (next to the URL).
  1. Locate and click on the Certificate.
  2. Click the first/top certificate on the pop-up dialog, and drag it to your desktop.
  3. Upload certificate to Nodegrid (certificate is automatically converted to the expected format).
2. If not via ZPE Cloud:
  1. Go to the *RSA Operations Console.*
  2. Download the Signing Root Certificate.
  3. Go to *Security :: Authentication :: 2-Factor*.
  4. Click the link representing the SecurID server (added above).
  5. Click **Certificate**.
  6. Select **Local Computer** checkbox. Click **Choose File** and select the file (i.e. RootCA.cer file).
  7. Click **Apply**,
3. Click **Save**.

### Edit 2-Factor Configuration

1. Go to *Security :: Authentication :: 2-Factor*.
2. In the *Name* column, click the name to be updated (displays dialog).
3. Make changes, as needed.
4. Click **Save**.

### Delete 2-Factor Configuration

1. Go to *Security :: Authentication :: 2-Factor*.
2. Locate and select the checkbox.
3. Click **Delete**.
4. On the confirmation dialog, click **OK**.

### Assign 2-factor to an Authentication Method

RSA SecurID 2-factor authentication can be added to any Nodegrid-supported authentication method: Local, LDAP/AD, Radius, TACACS+, or Kerberos.

Nodegrid authenticates users following the order of the authentication servers, as configured. When a method succeeds (user authenticated), Nodegrid initiates the 2-factor authentication (if configured).

The user receives a request from RSA SecurID to provide the token code and PIN (according to the setup on the user’s RSA Security Console). The process is applied on user login via Web Browser, SSH, Telnet or Console port.

**NOTE**For the Local authentication method, 2-factor can be enforced or skipped. This allows local administrators to login without needing to configure counterpart users in the RSA Security Console.

### RSA Authenticate App

This applies only to ZPE Cloud Authentication Services. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678893402723.png)

1. Download the *RSA SecurID Authenticate*app.
2. Go to **RSA SecurID Access** and login.
3. Follow the steps to register the device.