Symantec Privileged Access Management

  • Private Community

  • 1.  Different authentication types for the same user

    Posted Oct 26, 2017 10:11 AM

    Hello

    We have one user that belongs to two different ldap groups. One group have "ldap" authentication and the other have "ldap+radius". I would expect that CA PAM would choose the most stronger but it's not the case. From my tests, the user can only login using ldap. If it uses ldap+radius , on the CA PAM Client, he can't login .

    Is there a way to change between authentication types without having to remove this user from one of the groups?

    Thanks in advance

    Best regards

    NM



  • 2.  Re: Different authentication types for the same user
    Best Answer

    Broadcom Employee
    Posted Oct 26, 2017 10:19 AM

    Hi, there's only one use entry in the database, and it has one authentication type. Which one is active should depend on the sequence of imports/refreshes. Please try to avoid this scenario.



  • 3.  Re: Different authentication types for the same user

    Posted Nov 03, 2017 03:20 PM

    When you import an LDAP  group into PAM you specify the Authentication Method to be used by that group.  All the users in that group will use the same Authentication Method.  You can modify the group to use a different method, ie LDAP+RSA instead of LDAP, but all the members of that group will have to use the new method.  If you only want specific users in the group to use the different method then you will have to put those users in a separate group, which must then also be imported.