Telnet rules require that an Assure MFA administrator has set up the sign on authentication environment on the system and in the Assure MFA configuration.
The Add Rules wizard creates a telnet rule that requires multi-factor authentication using a RADIUS token to sign on to the IBM i. The rule created is based on your selections and default settings for the telnet rule category.
To be useable, telnet rules require the following configuration activities be performed from the 5250 user interface to set up the authentication environment on the system and in the Assure MFA configuration:
- Required: Ensure that each user profile to be authenticated by the rule can invoke the MFA rules engine. One way to do this is to specify RAMISGN as the initial program in the user profiles. If you already use custom initial programs, you can modify those programs to call RAMISGN as the first action. If you cannot modify your initial program, you can configure the rule to specify your program in the rule's Hosted initial program field. See topic “Ways to invoke the rules engine during sign on” in the Assure Multi-factor Authentication User Guide.
- Strongly recommended: Modify the IBM i Sign On screen to remove all but the user profile name and password fields. This will prevent users from bypassing authentication during sign-on. See How to secure the initial IBM i sign on screen in the Assure Multi-factor Authentication User Guide.
- Required: User profiles to be authenticated must be added to configuration in the MFA User Profiles list. This list maps IBM i user profile names to the user names known to the RADIUS server. See Working with Assure MFA profiles (WRKQAPRF) in the Assure Multi-factor Authentication User Guide for using the WRKQAPRF command to add users manually or by creating and importing a file.
- Required: The RADIUS server that will validate tokens must be configured, added to Assure MFA configuration as an authentication server with the WRKQASRV command, and the server must be active. See Configuring Assure MFA for use with RADIUS server and RADIUS passcode in the Assure Multi-factor Authentication User Guide.
Also, the User Guide section Using Assure MFA for sign on with RADIUS authentication includes information about how to test a Sign On rule with a RADIUS server.
Default settings for a telnet rule created using the Add rule wizard are the same as the template rule X_RAMISGN2. You can view template rules from the 5250 user interface.