2FA on RADIUS has been implemented for PAM using a Symantec VIP Enterprise RADIUS server.
The users are provisioned through LDAP, so that they are all imported as part of a group, say "CN=Users, OU=Radius, DC=mypam, DC=com" with authentication type RADIUS and provisioning type LDAP
The authentication is purely RADIUS. That is, when logging in PAM is not connecting to RADIUS and then LDAP, but just to RADIUS. The VIP Enterprise server has its RADIUS users pulled from LDAP.
Trying to log in, they get a push notification on their mobile device, press APPROVE and then get the following error in PAM:
"PAM-CMN-0949: RADIUS user is not registered. Contact your CA PAM Administrator."
Upon viewing the logs, we find the following error:
"PAM-CMN-0950: Authentication failed for RADIUS user <my username>. RADIUS authentication succeeded but unable to retrieve the user's RADIUS group."
There are no errors in the validation server's logs, and we can see that the authentication was successful from its side.
userPrincipalName is being used as the VIP user name attribute.
Release : 4.1.X
The error message gives a hint about the root cause. PAM does have a group for which the authentication is RADIUS, but it is unable to connect it to the group coming from the VIP Radius server.
Since the group is provisioned from LDAP, it needs to have some kind of link to the RADIUS information received so that it can tie them together, much in a similar way as what is mentioned in the documentation about LDAP+RADIUS PAM authentication (see: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-4/configuring-your-server/authenticate-users-logging-in-to-the-server/configure-ldap-and-radius-in-combination-to-authenticate-users.html)
It is necessary to find a Unique Attribute and a Group Attribute that may relate the group information received from RADIUS login with the LDAP group information present in PAM.
For instance a possibility is to use sAMAccountName as a Unique Attribute (even though UserPrincipalName should work as well) and member as a Group Attribute and define them in the LDAP configuration in PAM
The Group Member Attribute may vary depending on the RADIUS configuration, but the solution should be the same taking into account the specific parameters of each use case.