AnsweredAssumed Answered

Issues with RSA and CA PAM integration

Question asked by Shyam007 on Jul 5, 2018
Latest reply on Jul 6, 2018 by mulan04

Like • Show 0 Likes0
Comment • 3

Hello All,

I have query regarding RSA integration with CA Privilege Access Manger.
There is a limitation that we cannot create any new user in RSA hence we are using the existing RSA user (which is already in use and working fine).

We have imported the "sdconf.rec" and "sdopts.rec" in CA PAM and created the same user in AD (Active directory) which works fine if we login using LDAP Authentication to CA PAM.

After this we have tried logging in to CA PAM console using LDAP+RSA option and we are getting the error as

"Error: PAM-CMN-0900: Bad User ID or Password."

Request help on this, Thanks in Advance..!

mulan04

Jul 6, 2018 9:09 AM

Correct Answer

Hello DK

As mentioned before by Ralf - when you do the import of the LDAP group specifying the authentication method LDAP only - finally members of that group will be able to login to PAM with LDAP method only.

Hence you have to import the LDAP group in your case specifying LDAP+RSA so that the user can use the additional method.

Anyway, please make sure to logout of PAM (best close the UI completely) and login again to see the new features.

Should you face any issues with this process, please do not hesitate to open a Support Case with us.

See the reply in context

No one else had this question

Outcomes

prira01

Jul 5, 2018 1:56 PM

Hi Shyam, A user can login to PAM using one authentication type only. If the user was imported as part of a group that uses LDAP authentication, the LDAP+RSA option will not work. Can you clarify the group membership for this user and whether other users in the group can login successfully using LDAP+RSA?

Actions

dinakar_apk @ prira01 on Jul 5, 2018 2:57 PM

Hi Ralf,

We have a user001 in LDAP (Active Directory) added to a PAMAccessGroup. PAM allows user to access PAM application only if the user is member of this group. This configuration is already done and the user001 is able to login with AD credentials.

The same user is already available in RSA server, for VPN access. The RSA team asked us use this existing user in RSA servers, and create the same user in local PAM or LDAP. So that RSA authentication will work. So, we tried using RSA and LDAP+RSA. But both didnt work.

Kindly let us know. What is the correct method for RSA only and LDAP+RSA? Do we need to have any linking between RSA and LDAP so that the RSA or LDAP +RSA authentication will work.

And also, we dont see any information or failure related messages from PAM tomcat logs. Kindly let us know in PAM, how do we see the logs for PAM and RSA communication?

Thanks

Actions

mulan04

@ dinakar_apk on Jul 6, 2018 9:09 AM

Hello DK

Hence you have to import the LDAP group in your case specifying LDAP+RSA so that the user can use the additional method.

Anyway, please make sure to logout of PAM (best close the UI completely) and login again to see the new features.

Should you face any issues with this process, please do not hesitate to open a Support Case with us.

Actions

3 Replies

prira01 Jul 5, 2018 1:56 PM
Mark Correct
Correct Answer
Hi Shyam, A user can login to PAM using one authentication type only. If the user was imported as part of a group that uses LDAP authentication, the LDAP+RSA option will not work. Can you clarify the group membership for this user and whether other users in the group can login successfully using LDAP+RSA?
Like • Show 0 Likes0
Actions
- dinakar_apk @ prira01 on Jul 5, 2018 2:57 PM
  Mark Correct
  Correct Answer
  Hi Ralf,
  
  We have a user001 in LDAP (Active Directory) added to a PAMAccessGroup. PAM allows user to access PAM application only if the user is member of this group. This configuration is already done and the user001 is able to login with AD credentials.
  
  The same user is already available in RSA server, for VPN access. The RSA team asked us use this existing user in RSA servers, and create the same user in local PAM or LDAP. So that RSA authentication will work. So, we tried using RSA and LDAP+RSA. But both didnt work.
  
  Kindly let us know. What is the correct method for RSA only and LDAP+RSA? Do we need to have any linking between RSA and LDAP so that the RSA or LDAP +RSA authentication will work.
  
  And also, we dont see any information or failure related messages from PAM tomcat logs. Kindly let us know in PAM, how do we see the logs for PAM and RSA communication?
  
  Thanks
  dk
  Like • Show 0 Likes0
  Actions
  - mulan04 @ dinakar_apk on Jul 6, 2018 9:09 AM
    Unmark Correct
    Correct Answer
    Hello DK
    
    As mentioned before by Ralf - when you do the import of the LDAP group specifying the authentication method LDAP only - finally members of that group will be able to login to PAM with LDAP method only.
    
    Hence you have to import the LDAP group in your case specifying LDAP+RSA so that the user can use the additional method.
    
    Anyway, please make sure to logout of PAM (best close the UI completely) and login again to see the new features.
    
    Should you face any issues with this process, please do not hesitate to open a Support Case with us.
    Like • Show 1 Like1
    Actions

Issues with RSA and CA PAM integration

Outcomes

Related Content

Recommended Content

Incoming Links