RSA Integration with CA PAM 4.1.5 and 4.1.6 does not prompt for 2F authentication
search cancel

RSA Integration with CA PAM 4.1.5 and 4.1.6 does not prompt for 2F authentication

book

Article ID: 277409

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Customer is facing a critical issue with Symantec PAM after upgrading to 4.1.5 / 4.1.6

When logging into PAM using RSA, the usual process involves entering a PIN followed by providing / keying in the OTP that is generated and sent to the user via SMS or OTP sent via email. 

However, currently, they are able to login to CA PAM just be entering the PIN as the the OTP screen pop-up does not show up, meaning users are able to log in using only the PIN without OTP code, leading to security concerns.

Under normal cisrumstances the following screen (Challenging for OTP/On-Demand Token) is presented and the OTP/On-Demand Token needs to be provided below.

After upgrade to 4.1.5 / 4.1.6, the user is not more challenged for providing the OTP / On-Demand Token.

Environment

CA PAM : 4.1.5 and 4.1.6 with RSA as the Authentication method.

RSA: REST API Authentication is enabled as well as the user has On Demand Authentication enabled.

Cause

When On Demand Authentication is enabled to the users in RSA, the pop-up for providing the OTP is not appearing.
If the user in RSA is not configured for On Demand Authentication, the integration works properly.

Resolution

The problem is fixed in 4.1.7 and listed in the release notes under Resolved Issues (DE587975).

In the RSA, the user details would show if the On Demand Authentication is enabled or not. (In the RSA, Authentication--> On-Demand Authentication-->Manage Enabled Users).

We have a work around in place to fix this problem, by moving back to the non REST API call from CA PAM to the RSA Server.

For having this workaround to be configured please open a support ticket with Broadcom and the Technical support team will be able to enable the workaround. Once the workaround is in place the OTP authentication pop-up will be available and users will be able to provide the OTP for authentication.

Additional Information

To identify if the problem:
- Confirm with the customer if the users configured in RSA have On Demand Authentication (ODA) enabled or not

This KB only applies to customers who are using CA PAM Version 4.1.5 and 4.1.6 and having on demand authentication enabled in RSA