Symantec Privileged Access Management

  • 1.  Failed to connect to CA Privileged Access Manager

    Posted Nov 29, 2016 06:27 PM

    A client of ours is getting the above error msg when some of their folks try to access the PAM UI either on the Client or Browser. Other users and admins can login no problem.

    They use 2 factor, AD and Radius.

    Has anyone seen this?

    Thank you



  • 2.  Re: Failed to connect to CA Privileged Access Manager

    Posted Nov 29, 2016 06:56 PM

    Hi Farid,

     

    Please share with us the PAM version you are running.

     

    Related known issue addressed with v2.7:

     

    Unable to login to CA Privileged Access Manager using the RADIUS Authentication type when two RADIUS servers are configured (DE172566)

    Redundant RADIUS servers would sometimes fail for CHAP authentication when used with One Time Passwords (OTP), causing login failures.

     

    Workaround: Configure the RADIUS server responsible for OTP as the last server in the list of configured RADIUS servers in CA Privileged Access Manager.



  • 3.  Re: Failed to connect to CA Privileged Access Manager

    Posted Nov 29, 2016 07:10 PM

    Yes, they are running 2.7.0



  • 4.  Re: Failed to connect to CA Privileged Access Manager

    Posted Nov 29, 2016 11:57 PM

    I get this error when there is no connectivity from client PC to the PAM server, Just double check if they are able to ping PAM IP or hostname/dnsname.



  • 5.  Re: Failed to connect to CA Privileged Access Manager

    Posted Nov 30, 2016 09:41 AM

    I had a chance to logon and check; there is only one RADIUS server defined.

    thank you



  • 6.  Re: Failed to connect to CA Privileged Access Manager

    Posted Dec 01, 2016 05:16 PM

    Hi Farid,

     

    From the same PAM client that throws the error, are you able to login with the AD user (without Radius)?



  • 7.  Re: Failed to connect to CA Privileged Access Manager

    Broadcom Employee
    Posted Dec 02, 2016 03:43 AM

    I would also say, can you get the logs.log from the client, if you are using the PAM client ? That may give us some ideas

     

    Have you been able to check at the AD what happens when the client tries to access the PAM server ? Does it really get authenticated and is it the Radius that is throwing it back ?

     

    The other thing you may want to do is to enable trace at the java console and gather the logs. That will tell us why java seems not able to connect

     

    As a last resource: get wireshark and repeat the process, then capture the packets. That may give a clue