Skip to main content

Enable WebAuthn MFA for ONTAP System Manager users or groups

Contributors netapp-mwallis netapp-dbagwell
PDFs

As an ONTAP administrator, you can enable WebAuthn MFA for a System Manager user or group by either adding a new user or group with the WebAuthn MFA option enabled or enabling the option for an existing user or group.

Note After you enable WebAuthn MFA as the second authentication method for a user or group, the user (or all users in that group) will be asked to register a hardware FIDO2 device upon the next login to System Manager. This registration is handled by the user's local operating system, and usually consists of inserting the security key, creating a passkey, and touching the security key (if supported).

Enable WebAuthn MFA when creating a new user or group

You can create a new user or group with WebAuthn MFA enabled using either System Manager or the ONTAP CLI.

System Manager

  1. Select Cluster > Settings.

  2. Select the arrow icon next to Users and Roles.

  3. Select Add under Users.

  4. Specify a user or group name and select a role in the drop-down menu for Role.

  5. Specify a login method and password for the user or group.

    WebAuthn MFA supports login methods of "password", "domain", or "nsswitch" for users, and "domain" or "nsswitch" for groups.

  6. In the MFA for HTTP column, select Enabled.

  7. Select Save.

CLI

  1. Create a new user or group with WebAuthn MFA enabled.

    In the following example, WebAuthn MFA is enabled by choosing "publickey" for the second authentication method:

    security login create -user-or-group-name <user_or_group_name> \
                     -authentication-method domain \
                     -second-authentication-method publickey \
                     -application http \
                     -role admin

Enable WebAuthn MFA for an existing user or group

You can enable WebAuthn MFA for an existing user or group.

System Manager

  1. Select Cluster > Settings.

  2. Select the arrow icon next to Users and Roles.

  3. In the list of users and groups, select the option menu for the user or group you want to edit.

    WebAuthn MFA supports login methods of "password", "domain", or "nsswitch" for users, and "domain" or "nsswitch" for groups.

  4. In the MFA for HTTP column for that user, select Enabled.

  5. Select Save.

CLI

  1. Modify an existing user or group to enable WebAuthn MFA for that user or group.

    In the following example, WebAuthn MFA is enabled by choosing "publickey" for the second authentication method:

    security login modify -user-or-group-name <user_or_group_name> \
                     -authentication-method domain \
                     -second-authentication-method publickey \
                     -application http \
                     -role admin

Learn more

Visit the ONTAP manual pages for these commands: