Can we configure a single instance of PAM to work with RADIUS servers from multiple MFA solutions?

book

Article ID: 103163

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction



Can we configure a single instance of PAM to work with RADIUS servers from multiple MFA solutions?
Ex: 1) RADIUS1 server for authenticating internal users, via CA Advanced Authentication
       2) RADIUS2 for authenticating vendors/external users, via Azure MFA 

Environment

Any CA PAM appliance 
up to CA PAM 3.2 which is the latest at the time of this document

Resolution

You can add multiple radius servers in a single configuration but you cannot configure radius authentication through multiple MFA services. This is due to a limitation in our ability to direct communications to a subset of the defined radius servers in our configurations. If you configure multiple radius servers, CA PAM will send the requests to each of the radius servers in the order specified.

Additional Information

Simply put there is no method currently to define specific radius servers to only be used with a specific set of users. If you require this an Enhancement request should be  made through our Communities Site
https://communities.ca.com/community/ca-security/ca-privileged-access-management/content?filterID=contentstatus%5Bpublished%5D%7Ecategory%5Bca-privileged-access-manager%5D