Symantec Privileged Access Management

 View Only
Expand all | Collapse all

Problem With CA PAM and Strong Authentication

  • 1.  Problem With CA PAM and Strong Authentication

    Posted Aug 22, 2019 12:36 PM
      |   view attached
    Hello,

    I have been with problem for 3 months. We use CA PAM with double factor of Authentication, that is the CA PAM STRONG AUTHENTICATOR, but we have the problem that the user is working normally but in sometime the can´t to connect because the CA PAM display Bad User and Bad Password, we try everything and we can't find the problem, this time is variable , and for fix the problem temporally we have to delete the user and create again,


    I hope somebody can help us,
    best regards.


  • 2.  RE: Problem With CA PAM and Strong Authentication

    Broadcom Employee
    Posted Aug 22, 2019 12:43 PM
    Hi,

    Can you please advise what release of PAM you are running?  There has been various different fixes in PAM 3.2.x around Radius:

    https://docops.ca.com/ca-privileged-access-manager/3-3/EN/release-information/resolved-issues-in-3-2-3

    DE384223 - When Authentication Type is set to RADIUS on the UI login screen, users whose passwords include specific characters (& " < > ' ) are unable to log in, receiving a "PAM-CMN-0900 Bad Used ID or Password" error message.


  • 3.  RE: Problem With CA PAM and Strong Authentication

    Posted Aug 22, 2019 02:34 PM
    The version of CA PAM is 3.2.2, if i update the CA PAM can i fix this?


  • 4.  RE: Problem With CA PAM and Strong Authentication

    Posted Aug 22, 2019 02:54 PM
    I have to say that this happen with random user in random time, maybe work two weeks and fail with this message, maybe work one month a fail with this message and the only solution temporally is delete the user an create it again.


  • 5.  RE: Problem With CA PAM and Strong Authentication

    Broadcom Employee
    Posted Aug 22, 2019 11:53 PM
    Have you checked the Strong Authentication Server log file to see, if there is any RADIUS authentication attempt made from PAM for this user when it reports the error?


    Thanks and Regards,

    Shinu Abdulu

    Services Architect


    CA Technologies (A Broadcom Company) | 3965 Freedom Circle Suite 1100 | Santa Clara, CA 95054 
    Office: +13146 | Mobile: +1 408 420 0380 | Shinu.VayyattuKavil@broadcom.com

       

    P Please consider the environment before printing this e-mail.






  • 6.  RE: Problem With CA PAM and Strong Authentication

    Posted Aug 23, 2019 08:53 AM
    I saw the log from the CA STRONG AUTHENTICATOR but i can't identify the problem, we have a case with the factory Broadcom since 3 months and we don't have a definitive answer from them,


    best regards.


  • 7.  RE: Problem With CA PAM and Strong Authentication

    Broadcom Employee
    Posted Aug 23, 2019 03:00 PM
    What is the ticket number to which you referred?​  Do I understand correctly that you are using CA PAM Strong Authenticator as your Radius server?  If that is the case I will have to try that to see if I can duplicate the problem.  If you set the Web Services Log Level = Debug in PAM and duplicate the problem there might be useful information in one of the PAM System Logfiles.  Do that and download the file.  If you don't have one already, you should open a ticket for PAM and upload that file.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 8.  RE: Problem With CA PAM and Strong Authentication

    Posted Aug 23, 2019 03:16 PM
    The number case with Broadcom is 20046982, and yes we are using the CA STRONG AUTHENTICATOR for de double factor of authentication, and in the configuration of CA PAM in the section for Radius we have the CA STRONG AUTHENTICATOR, 

    best regards.


  • 9.  RE: Problem With CA PAM and Strong Authentication
    Best Answer

    Broadcom Employee
    Posted Aug 23, 2019 04:54 PM
    Hi Danilo,

    I recommend viewing the webfort.log file on the Strong Authentication server.  You may see signs of RADIUS authentication failure there.

    If the user is denied, are they able to re-enter a new Desktop OTP and authenticate successfully?  If you're using the time-based credential (TOTP), is it possible the user is entering an OTP near the end of its time?  If so, the look back setting on the OTP authentication profile may need to be adjusted.

    Warren


  • 10.  RE: Problem With CA PAM and Strong Authentication

    Posted Aug 23, 2019 05:48 PM
    Hello Warren,

    We are using OTP and when the user have this problem nothing can help except delete the user and create it again, this is variable in the time, the user can fail maybe in two weeks, two days, etc.