Layer7 Privileged Access Management

Expand all | Collapse all

I have recently upgrade CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP

Jump to Best Answer
  • 1.  I have recently upgrade CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP

    Posted 11-20-2017 07:14 AM

    I have recently upgraded CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP option just provides 2 options local and LDAP. Previous to upgrade the RSA+LDAP worked fine . I have already checked the Global  and user group settings and they are still showing LDAP+RSA as the selected option . Any idea if this is a known issue or a product bug etc.



  • 2.  Re: I have recently upgrade CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP
    Best Answer

    Posted 11-20-2017 09:40 AM

    I've already opened a defect for RSA authentication on 3.0.x.  I am not surprised that LDAP+RSA also is not working.  We are duplicating the problem and will open a defect with Engineering when we are done.



  • 3.  Re: I have recently upgrade CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP

    Posted 11-20-2017 09:44 AM

    Ed,

     

    Just keep in mind that he is reporting that the login option isn't even there… which differs from the defect you showed us last week.  I think this is a new defect?



  • 4.  Re: I have recently upgrade CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP

    Posted 11-27-2017 01:01 AM

    Even I have the same issue here, LDAP+RSA optiion is not available in the login page, Although this option is available in Global setting. If we browse to the user group and double click on any user group and select authenticaion as ldap+rsa(for the previously assigned authenticaiton method) we get a error that LDAP+RSA is not supported.

     

    This is a critical issue, No one in our environment is able to login because our company has strict 2FA enforcement to PAM.

    Need someone to look into this immediately.



  • 5.  Re: I have recently upgrade CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP

    Posted 11-27-2017 11:12 AM

    Engineering figured out what happened with RSA during the upgrade. After the upgrade, the sdconf.rec file is missing and the sdopts.rec field is populated. At first I thought the file was swapped with sdopts.rec. That seems not to be the case. Engineering provided these manual steps post-upgrade that worked for them.  It worked for me as well, on a system on which I'd configured RSA authentication.  I am about to try the same with LDAP+RSA configured.  IN the meantime, please take a look at the steps below.

     

    1.Do not remove opts config file.
    2.Import sdconf.rec file again.
    3.Make sure that the hostname in PAM matches the hostname in the RSA server. With the hostname changed on one of my test systems, to the IP address, RSA started working.

     

    If these steps do not resolve the problem for you, please open a support ticket.  Be prepared to answer the following questions:

    What is the current state of the RSA configuration on the system you upgraded?

    Which of the .rec files are populated? If the sdopts.rec was not being use previously, and you cleared it on 3.0.x, we can recreate /var/ace/sdopts.rec with a touch command, in an ssh debug session to PAM.  If you were using it prior to the upgrade, and it is currently cleared, you can reload the file, via the GUI.



  • 6.  Re: I have recently upgrade CA PAM to 3.01 fom version2.8.3 After upgrade the login page does not show the RSA+LDAP

    Posted 11-29-2017 03:54 PM

    There is one more aspect of this that we learned of when I was working with a customer who had this same problem.  When we started our troubleshooting session we went through all of the steps previously described.  We then changed the Authentication Method on their LDAP group to RSA and tried to login using RSA.  It still didn't work.  After repeating the steps with no success, and clearing the Node Secret a few times, all with no success, we took a look at the LDAP user.  We saw that the Authentication Method was showing as LDAP, even though it had been changed for the LDAP group to RSA.  We deleted the LDAP group and imported it again, making sure to select RSA Authentication on the import.  At this point, both the user record and the LDAP record showed RSA Authentication.  This time, the user was able to login with RSA.  I've tested in house and seen that changing the Authentication Method on the LDAP group was reflected when I looked at the user record.  I will do some more testing, to see if I can identify why the observed problem occurred.  For now, keep this in mind if you have problems with RSA authentication.