How to Enforce the MFA for Local accounts in CAPAM?

This document outlines the process for enabling Multi-Factor Authentication (MFA) for users created locally within CA Privileged Access Manager (PAM).

All supported versions of CA PAM.

This a high level documentation for configuring MFA for users created in CA PAM locally.

Prerequisite: This configuration is currently supported only when CA PAM is integrated with RSA SecurID as the MFA provider.

Phase 1: Integration & User Provisioning

Before modifying user settings, ensure the underlying infrastructure is synchronized.

1. Configure RSA Integration: Follow the official Broadcom documentation to establish the connection between CA PAM and your RSA SecurID environment. 

2. Synchronize Identities: Ensure that the username created locally in CA PAM has a matching identity within the RSA Authentication Manager.

Phase 2: User Configuration

Once the identity exists in both systems, update the CA PAM user profile:

1. Modify Authentication Method: Navigate to the local user’s settings and change the Authentication field from Local to RSA.

2. Credential Preparation: Ensure the user has access to their RSA Token (Soft or Hard token) and their original CA PAM local password.

Phase 3: End-User Login Process

To log in successfully after MFA is enabled, the user must follow these steps:

• Step 1: On the CA PAM login page, select RSA from the Authentication Method dropdown menu.

• Step 2: Enter the local account username.

• Step 3: When prompted, provide the RSA Token (the dynamically generated passcode) and the Local Password.

Troubleshooting & Verification

If a user is unable to authenticate, follow these verification steps:

• Review Session Logs: Check the CA PAM session logs to verify login messages. Successful hits will confirm the handshake between PAM and the RSA server.

• RSA Login failure: For complex login failures, refer to the Broadcom Knowledge Base: Troubleshooting RSA Login Problems.