The Dell™ Remote Access Controller 5 (DRAC 5) version 1.30 and later support the two-factor-authentication for logging into the DRAC 5 Web interface. This support is provided by the Smart Card Logon feature on the DRAC 5.
The traditional authentication schemes use user name and password to authenticate users. This provides minimal security.
Two-factor-authentication, on the other hand, provides a higher-level of security by requiring users to have a password or PIN and a private key for a digital certificate.
The two-factor authentication requires users to verify their identities by providing both factors.
Configuring Smart Card Login in DRAC 5
Enable the DRAC 5 Smart Card logon feature from Remote Access→ Configuration→ Smart Card.
If you:
Disable Smart Card configuration, you are prompted for a Microsoft® Active Directory® or local logon username and password.
Enable or Enable with Remote Racadm, you are prompted for a Smart Card logon during any subsequent logon attempts using the GUI.
When you select Enable, all command line interface (CLI) out-of-band interfaces, such as telnet, ssh, serial, remote racadm, and IPMI over LAN, are disabled. This is because these services support only single-factor authentication.
When you select Enable with Remote Racadm, all CLI out-of-band interfaces, except remote racadm, are disabled.
NOTE: Dell recommends that the DRAC 5 administrator use the Enable with
Remote Racadm setting only to access the DRAC 5 user interface to run
scripts using the remote racadm commands. If the administrator does not
need to use the remote racadm, Dell recommends the Enabled setting for
Smart Card logon. Also, ensure that the DRAC 5 local user configuration
and/or Active Directory configuration is complete before enabling Smart
Card Logon.
Enable CRL check for Smart Card Logon, the user's DRAC certificate, which is downloaded from the Certificate Revocation List (CRL) distribution server is checked for revocation in the CRL.
NOTE: The CRL distribution servers are listed in the Smart Card certificates of
the users.
Configuring Local DRAC 5 Users for Smart Card Logon
You can configure the local DRAC 5 users to log into the DRAC 5 using the Smart Card. Navigate to Remote Access→ Configuration→ Users.
Figure 7-1. User Management Page for Smart Card
However, before the user can log into the DRAC 5 using the Smart Card, you must upload the user's Smart Card certificate and the trusted Certificate Authority (CA) certificate to the DRAC 5.
Exporting the Smart Card Certificate
You can obtain the user's certificate by exporting the Smart Card certificate using the card management software (CMS) from the Smart Card to a file in the Base64 encoded form. You can usually obtain the CMS from the vendor of the Smart Card. This encoded file should be uploaded as the user's certificate to the DRAC 5. The trusted Certificate Authority that issues the Smart Card user certificates should also export the CA certificate to a file in the Base64 encoded form. You should upload this file as the trusted CA certificate for the user. Configure the user with the username that forms the user's User Principle Name (UPN) in the Smart Card certificate.
NOTE: To log into the DRAC 5, the user name that you configure in the DRAC 5
should have the same case as the User Principle Name (UPN) in the Smart Card
certificate.
For example, in case the Smart Card certificate has been issued to the user, "sampleuser@domain.com," the username should be configured as "sampleuser."
Configuring Active Directory Users for Smart Card Logon
To configure the Active Directory users to log into the DRAC 5 using the Smart Card, the DRAC 5 administrator should configure the DNS server, upload the Active Directory CA certificate to the DRAC 5, and enable the Active Directory logon. See "Using the DRAC 5 With Microsoft Active Directory" for more information on how to set up Active Directory users.
You can configure the Active Directory from Remote Access→ Configuration→ Active Directory.
Configuring Smart Card
NOTE: To modify these settings, you must have Configure DRAC 5 permission.
Expand the System tree and click Remote Access.
Click the Configuration tab and then click Smart Card.
Configure the Smart Card logon settings.
Table 7-1 provides information about the Smart Card page settings.
Click Apply Changes.
Table 7-1. Smart Card Settings
Setting
Description
Configure Smart Card Logon
Disabled — Disables Smart Card logon. Subsequent logins from the graphical user interface (GUI) display the regular login page. All command line out-of-band interfaces including secure shell (SSH), Telnet, Serial, and remote RACADM are set to their default state.
Enabled — Enables Smart Card logon. After applying the changes, logout, insert your Smart Card and then click Login to enter your Smart Card PIN. Enabling Smart Card logon disables all CLI out-of-band interfaces including SSH, Telnet, Serial, remote RACADM, and IPMI over LAN.
Enabled with Remote Racadm — Enables Smart Card logon along with remote RACADM. All other CLI out-of-band interfaces are disabled.
NOTE: The Smart Card logon requires you to configure
the local DRAC 5 users with the appropriate certificates.
If the Smart Card logon is used to log in a Microsoft
Active Directory user, then you must ensure that you
configure the Active Directory user certificate for that
user. You can configure the user certificate in the Users→
User Main Menu page.
Enable CRL check for Smart Card Logon
This check is available only for Active Directory login users. Select this option if you want the DRAC 5 to check the Certificate Revocation List (CRL) for revocation of the user's Smart Card certificate.
The user will not be able to login if:
The user certificate is listed as revoked in the CRL file.
DRAC is not able to communicate with the CRL distribution server.
DRAC is not able to download the CRL.
NOTE: You must correctly configure the IP address of
the DNS server in the Configuration→ Network page for
this check to succeed.
Logging Into the DRAC 5 Using the Smart Card
The DRAC 5 Web interface displays the Smart Card logon page for all users who are configured to use the Smart Card.
NOTE: Ensure that the DRAC 5 local user and/or Active Directory configuration is
complete before enabling the Smart Card Logon for the user.
NOTE: Depending on your browser settings, you may be prompted to download and
install the Smart Card reader ActiveX plug-in when using this feature for the first time.
Figure 7-2. Logging into the DRAC 5 Using the Smart Card
Access the DRAC 5 Web page using https.
https://<IP address>
If the default HTTPS port number (port 443) has been changed, type:
https://<IP address>:<port number>
where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number.
The DRAC 5 Login page appears prompting you to insert the Smart Card.
Insert the Smart Card into the reader and click Login.
The DRAC 5 prompts you for the Smart Card's PIN.
Enter the Smart Card PIN and click OK.
NOTE: If you are an Active Directory user for whom the Enable CRL check for
Smart Card Logon is selected, DRAC 5 attempts to download the CRL and checks
the CRL for the user's certificate. The login through Active Directory fails if the
certificate is listed as revoked in the CRL or if the CRL cannot be downloaded for
any reason.
You are logged into the DRAC 5.
However, if the Smart Card login fails, and if:
you have enabled Active Directory login for your user account and
you are a valid Active Directory user
you should have configured Active Directory for using Smart Card authentication. (for more information, see "Enabling Kerberos Authentication.")
the DRAC 5 will automatically log you in.
Logging Into the DRAC 5 Using Active Directory Smart Card Authentication
Log into the DRAC 5 using https.
https://<IP address>
If the default HTTPS port number (port 443) has been changed, type:
https://<IP address>:<port number>
where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number.
The DRAC 5 Login page appears prompting you to insert the Smart Card.
Insert the Smart Card and click Login.
The PIN pop-up dialog box appears.
Enter the PIN and click OK.
You are logged into the DRAC 5 with your credentials as set in Active Directory.
Use the following tips to help you debug an inaccessible Smart Card:
ActiveX plug-in unable to detect the Smart Card reader
Ensure that the Smart Card is supported on the Microsoft Windows® operating system. Windows supports a limited number of Smart Card cryptographic service providers (CSPs).
Tip: As a general check to see if the Smart Card CSPs are present on a particular client, insert the Smart Card in the reader at the Windows logon (Ctrl-Alt-Del) screen and check to see if Windows detects the Smart Card and displays the PIN dialog-box.
Incorrect Smart Card PIN
Check to see if the Smart Card has been locked out due to too many attempts with an incorrect PIN. In such cases, the issuer of the Smart Card in the organization will be able to help you get a new Smart Card.
Unable to Log into Local DRAC 5
If a local DRAC 5 user cannot log in, check if the username and the user certificates uploaded to the DRAC 5 have expired. The DRAC 5 trace logs may provide important log messages regarding the errors; although the error messages are sometimes intentionally ambiguous due to security concerns.
Unable to Log into DRAC 5 as an Active Directory User
If you cannot log into the DRAC 5 as an Active Directory user, try to log into the DRAC 5 without enabling the Smart Card logon. If you have enabled the CRL check, try the Active Directory logon without enabling the CRL check. The DRAC 5 trace log should provide important messages in case of CRL failure.
You also have the option of disabling the Smart Card Logon through the local racadm using the following command:
