Trouble Shooting Tips for LDAP+RSA authentication implementation in CA PAM

Document ID : KB000010600
Last Modified Date : 23/08/2018
Show Technical Document Details
Introduction:

We are failing to authenticate to the CA PAM Client using LDAP+RSA method.

In the PAM session logs we see error codes 18074 and 18002.

What needs to be checked to reveal the root cause of this issue.

Instructions:
1. Reconfigure CA PAM to LDAP only authentication and confirm that users can successfully authenticate via LDAP only

2. In Config / 3rd Party / RSA make sure that sdopts.rec has been loaded.
    (Unlike the text in the User Interface implies, this is is a mandatory step in PAM 3.x. If needed an empty file with this name, containing only a single # character, can be used)

3. Clear the Node secret after uploading the sdconf.rec and sdopts.rec. Then best reboot the PAM appliance to allow initiation of the communication from PAM to the RSA Server.

4. When configuring PAM as an Authentication Agent on the RSA server, use the short hostname of the PAM server as hostname of the authentication agent.
    PAM will send the short hostname configured in PAM network configuration to the RSA server.

5. Confirm that TCP port 5500 is open from PAM to the RSA server (Check with PAM / Config / Tools / Port Scan).
    Confirm with your RSA Administrator that this one has not been changed from the default. 

6. Try deleting the LDAP group once more and redo the import.
    Try setting the Authentication Method to RSA only this time. 

7. Confirm that the user is defined in the RSA Server accordingly with the same sAMAcccountName.

8. Also make sure that time is in sync between the RSA Server, PAM Server, PAM Client and the RSA Token devices.
 
Additional Information:

Confirm that you followed these steps to setup the RSA connection:
https://docops.ca.com/ca-privileged-access-manager/2-8-3/EN/reference/web-gui/toolbar/config/3rd-party#id-3rdParty-RSAAuthenticationManagerConfiguration

For PAM 3.X see e.g. page
https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/authenticate-users-locally-or-remotely/rsa-securid-and-ldap+rsa

Review all the other Articles in our Knowledge Base around RSA integration in CA PAM
https://support.ca.com/us/product-information/ca-privileged-access-management.html?d=t&q=rsa&language=en&type=ALL&sortby=relevance&page=1&typeofcontent=Knowledge+Base+Articles