SSH authentication failed for a challenged user with RSA Authentication Manager using REST protocol for RSA Authentication Agent 8.0.x for PAM
Originally Published: 2019-02-05
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 8.0.x
Platform : Linux<
Issue
- The RSA Authentication Agent 8.0.x for PAM is installed on a supported platform.
- The RSA Authentication Agent 8.0.x for PAM is installed with REST protocol as a operation method.
#OPERATION_MODE :: To enable the agent operating mode choose one of the option.
# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=1
# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=1
- The RSA Authentication Agent for PAM installed with UDP protocol as an operation method works fine when the challenged user logs into the machine through SSH.
- The challenged user is not prompted for a passcode, but instead is prompted for a password which is not a behavior observed when the agent is installed using the UDP protocol as operation method.
- After enabling the DEBUG for the REST protocol, the /var/ace/log/mfa_rest.log shows the following error:
INFO (../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://am83p.vcloud.local:6666/mfa/v1_1/authn
ERROR (../src/ConnectionHandler/ConnectionHandler.cpp:359) - Failed to connect.Curl error code: 60
ERROR (../src/ConnectionHandler/ConnectionHandler.cpp:359) - Failed to connect.Curl error code: 60
Cause
Error - Failed to connect.Curl error code: 60
Resolution
- Using the procedure in knowledge article 000036639 - How to export RSA SecurID Access Authentication Manager or Cloud Authentication Service Root Certificate, extract the RSA Authentication Manager primary server root certificate.
- Copy the generated certificate to any location on the machine where the RSA Authentication Agent for PAM is installed using a secure copy client such as WinSCP.
- Login as the root user to the Linux server on which the PAM agent is installed.
- Navigate to /var/ace/conf on the Linux server and edit the mfa_api.properties file, In the example below the certificate is copied to /var/ace:
CA_CERT_FILE_PATH=/var/ace/AM84RootCA.cer
- Open a SSH session and try to authenticate with a challenged user.
- Enter the RSA passcode at the next prompt and verify that the authentication succeeds.
- After successful authentication with a passcode, the mfa_rest.log located in directory /var/ace/log shows the following message
(../src
(../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://am83p.vcloud.local:6666/mfa/v1_1/authn
(../src/ConnectionHandler/ConnectionHandler.cpp:425) - Successfully got response!
(../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"53034944-93fd-4163-8401-f3368126c487","messageId":"a05a90fe-417f-47fe-8771-83d281f787ab","inResponseTo":"acd947a0-295f-11e9-8c89-005056011612"},"credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"SUCCESS","methodReasonCode":null,"authnAttributes":[]}],"attemptResponseCode":"SUCCESS","attemptReasonCode":"CREDENTIAL_VERIFIED","challengeMethods":{"challenges":[{"methodSetId":null,"requiredMethods":[]}]}}
(../src/auth/MFAVerifyProcessor.cpp:143) - processing response from AM for Verify Request
(../src/auth/MFAVerifyProcessor.cpp:240) - completed processing response from AM for Verify Request
(../src/auth/AuthnHandler.cpp:61) - Result prompt string: Authentication Success
(../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://am83p.vcloud.local:6666/mfa/v1_1/authn
(../src/ConnectionHandler/ConnectionHandler.cpp:425) - Successfully got response!
(../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"53034944-93fd-4163-8401-f3368126c487","messageId":"a05a90fe-417f-47fe-8771-83d281f787ab","inResponseTo":"acd947a0-295f-11e9-8c89-005056011612"},"credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"SUCCESS","methodReasonCode":null,"authnAttributes":[]}],"attemptResponseCode":"SUCCESS","attemptReasonCode":"CREDENTIAL_VERIFIED","challengeMethods":{"challenges":[{"methodSetId":null,"requiredMethods":[]}]}}
(../src/auth/MFAVerifyProcessor.cpp:143) - processing response from AM for Verify Request
(../src/auth/MFAVerifyProcessor.cpp:240) - completed processing response from AM for Verify Request
(../src/auth/AuthnHandler.cpp:61) - Result prompt string: Authentication Success
Notes
Related Articles
Is the PAM Agent supported with Redhat 6.2 Number of Views Manually generate a node secret for RSA Authentication Agent for PAM Number of Views Authentication Failed for PAM Agent using SSH for Active Directory Users Number of Views How to stack a Unix authentication followed by SecurID prompt with the RSA Authentication Agent for PAM for SSH and Telnet… Number of Views RSA PAM Authentication Agent cannot challenge users in Active Directory groups Number of Views
Trending Articles
Artifacts to gather in RSA Identity Governance & Lifecycle Oracle 12c TEMP_UNDO_ENABLED parameter for managing GTT UNDO activity in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Unable to attach a replica instance due to a configuration error when enabling replication for the RADIUS server for RSA A… RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide
Don't see what you're looking for?
