Let's imagine the following scenario

• User A is onboarded into PAM using Group A in Domain A  with Provisioning type LDAP and authentication type LDAP
• One is trying to onboard the same User A but this time through Group B in Domain A but with Provisioning type LDAP and authentication type LDAP+RADIUS

If this is attempted, the following error message appears

Error PAM-CMN-0966: User CN=UserA,OU=<ou>,,DC=<dc> selected to authenticate via ldap+radius but the configured authentication method for the user is ldap in CA PAM

CA PAM all versions

This is caused by the way in which PAM works: you cannot have a user with two different authentication methods in the same domain (but you can have a user with LDAP and SSO coexisting for instance).

The reason for this is that once you provision a user through an LDAP group having a certain authentication method, for instance LDAP, if you try to onboard it again into PAM but with a different authentication method (for instance LDAP+RADIUS or LDAP+RSA), the product will detect the user has been already onboarded with a certain method and will deny adding it again. This is due to users having only one possible authentication method

If one desires a user to start using LDAP+RADIUS instead of just LDAP, the easiest solution is to change one of the groups that the user is a member of to authentication type LDAP+RADIUS: that will trigger the change for all users in that group and henceforth next time the user needs to be onboarded via another group, it will do so with no complains.