LDAP+Radius dual authentication does not work

Document ID : KB000100601
Last Modified Date : 20/08/2018
Show Technical Document Details
Issue:
In a PAM server configured to use Radius and LDAP authentication, this seems not to work. LDAP authentication works, but Radius does not, even if users have been configured in Radius with the same samAccountName attribute as is mapped in PAM between LDAP and Radius. As a result, users defined in LDAP can log in using method LDAP, but not using method Radius and, besides, we would like to have only LDAP+Radius as authentication option.
Environment:
CA PAM 2.X and 3.X
Resolution:
If LDAP+Radius was configured after LDAP users were imported, it might be that they will not be taken into consideration. In this case it will be necessary to delete the group of all users having LDAP+Radius authentication and reimport them. Once the users are imported, there will be no separate choices in the login page for Radius and LDAP.  You must also make sure that the Unique Attribute field is populated with the field in the LDAP server that contains the string that matches the user configured in the Radius Server.  Typically, this is either samaccountname= or userprincipalname=.
Additional Information:
https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/implementing/configure-your-server/authenticate-users-locally-or-remotely/radius-or-tacacs+