1. Reconfigure CA PAM to LDAP only authentication and confirm that users can successfully authenticate via LDAP only
2. In Config / 3rd Party / RSA make sure that sdopts.rec has been loaded.
(Unlike the text in the User Interface implies, this is is a mandatory step in PAM 3.x. If needed an empty file with this name, containing only a single # character, can be used)
3. Clear the Node secret after uploading the sdconf.rec and sdopts.rec. Then best reboot the PAM appliance to allow initiation of the communication from PAM to the RSA Server.
4. When configuring PAM as an Authentication Agent on the RSA server, use the short hostname of the PAM server as hostname of the authentication agent.
PAM will send the short hostname configured in PAM network configuration to the RSA server.
5. Confirm that TCP port 5500 is open from PAM to the RSA server (Check with PAM / Config / Tools / Port Scan).
Confirm with your RSA Administrator that this one has not been changed from the default.
6. Try deleting the LDAP group once more and redo the import.
Try setting the Authentication Method to RSA only this time.
7. Confirm that the user is defined in the RSA Server accordingly with the same sAMAcccountName.
8. Also make sure that time is in sync between the RSA Server, PAM Server, PAM Client and the RSA Token devices.