Manualshelf

User guide

ManualsBrandsReach ManualsComputer equipmentDSS-ENC
12345678910
9
The users’ roles can be configured as administrator, operator, read only, or none. This role defines the
maximum privileges available. Operator privileges can be individually configured. The user guide
provides further explanation of these roles and privileges. Dell recommends restricting privileges to the
minimum needed by individual users. There is much flexibility that could be used for different levels of
administrative maintenance.
Smart Card
One enhanced security measure currently under adoption in many enterprise data centers is two-factor
authentication. Two-factor authentication is based on both an object and device (such as a smart card or
USB key) and specific knowledge (such as a PIN or password). Standard single-factor authentication is
based only on specific knowledge.
The iDRAC6 allows login via Smart Card authentication for local users. After Smart Card login is enabled,
the iDRAC6 login page will prompt the user to insert a smart card and enter the PIN. When the user
clicks the login button the user is authenticated based on the Smart Card and the PIN credentials
entered.
Before enabling the smart card logon feature, administrators should first configure local iDRAC6 users
for smart card logon. Local users can be enabled in the iDRAC6 graphical user interface (GUI) by
selecting Remote Access > Configuration > Users, then selecting from the configurable users available.
Two-factor authentication can also be used for Active Directory users.
When enabling a user for smart card logon, administrators should upload the user’s smart card
certificate and the trusted Certificate Authority (CA) certificate to the iDRAC6. The user certificate can be
obtained by exporting the smartcard certificate using the card management software from the smart
card vendor into a Base64-encoded file. This file can be uploaded to the iDRAC6 as the user certificate.
The trusted CA that issues the smart card user certificates typically also exports the CA certificate to a
Base64-encoded file, which administrators can then upload to the iDRAC6. Administrators should
configure each user with the username that matches the user principal name in the smart card
certificate. For example, for a smartcard certificate issued to sampleuser@domain.com, administrators
should use “sampleuser” as the username.
Administrators can enable smart card logon in the iDRAC6 GUI by selecting the Remote Access menu
item followed by the Configuration tab and Smart Card section. If the Configure Smart Card Logon
attribute is set to Disabled, the system prompts for a username and password when users attempt to
log in through the GUI or through a command-line interface (CLI). If this attribute is set to Enable or to
Enable with Remote RACADM, the system prompts for a smart card when users attempt to log in
through the GUI. Other interfaces that do not support smart cards are automatically disabled. The
Smart Card enable setting disables CLI out-of-band interfaces that support only single-factor
authentication such as Telnet, Secure Shell (SSH), serial consoles, remote RACADM, and Intelligent
Platform Management Interface (IPMI) Over LAN. The Enable with Remote RACADM setting disables the
same set of interfaces but leaves remote RACADM enabled. Typically, administrators should use the