000037161 - SSH authentication failed for a challenged user with RSA Authentication Manager using REST protocol for RSA Authentication Agent 8.0.x for PAM

Document created by RSA Customer Support Employee on Mar 1, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037161
Applies ToRSA Product Set : SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 8.0.x
Platform : Linux<
Issue
  • The RSA Authentication Agent 8.0.x for PAM is installed on a supported platform.
  • The RSA Authentication Agent 8.0.x for PAM is installed with REST protocol as a operation method.

#OPERATION_MODE :: To enable the agent operating mode choose one of the option.
# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=1


  • The RSA Authentication Agent for PAM installed with UDP protocol as an operation method works fine when the challenged user logs into the machine through SSH.
  • The challenged user is not prompted for a passcode, but instead is prompted for a password which is not a behavior observed when the agent is installed using the UDP protocol as operation method.
  • After enabling the DEBUG for the REST protocol, the /var/ace/log/mfa_rest.log shows the following error:

INFO (../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://am83p.vcloud.local:6666/mfa/v1_1/authn
ERROR (../src/ConnectionHandler/ConnectionHandler.cpp:359) - Failed to connect.Curl error code: 60
CauseThe issue is due to an incorrect SSL root certificate from  the Authentication Manger primary server being used on the client where the Authentication Agent for PAM is installed.

Error - Failed to connect.Curl error code: 60
ResolutionTo resolve this issue, follow the steps below:
  1. Using the procedure in knowledge article 000036639 - How to export RSA SecurID Access Authentication Manager or Cloud Authentication Service Root Certificate, extract the RSA Authentication Manager primary server root certificate.
  2. Copy the generated certificate to any location on the machine where the RSA Authentication Agent for PAM is installed using a secure copy client such as  WinSCP.
  3. Login as the root user to the Linux server on which the PAM agent is installed.
  4. Navigate to /var/ace/conf on the Linux server and edit the mfa_api.properties file,  In the example below the certificate is copied to /var/ace:

CA_CERT_FILE_PATH=/var/ace/AM84RootCA.cer


  1. Open a SSH session and try to authenticate with a challenged user.
  2. Enter the RSA passcode at the next prompt and verify that the authentication succeeds.
  3. After successful authentication with a passcode, the mfa_rest.log located in directory /var/ace/log shows the following message

(../src
(../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://am83p.vcloud.local:6666/mfa/v1_1/authn
(../src/ConnectionHandler/ConnectionHandler.cpp:425) - Successfully got response!
(../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"53034944-93fd-4163-8401-f3368126c487","messageId":"a05a90fe-417f-47fe-8771-83d281f787ab","inResponseTo":"acd947a0-295f-11e9-8c89-005056011612"},"credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"SUCCESS","methodReasonCode":null,"authnAttributes":[]}],"attemptResponseCode":"SUCCESS","attemptReasonCode":"CREDENTIAL_VERIFIED","challengeMethods":{"challenges":[{"methodSetId":null,"requiredMethods":[]}]}}
(../src/auth/MFAVerifyProcessor.cpp:143) - processing response from AM for Verify Request
(../src/auth/MFAVerifyProcessor.cpp:240) - completed processing response from AM for Verify Request
(../src/auth/AuthnHandler.cpp:61) - Result prompt string: Authentication Success
NotesSee libcurl error codes for detailed information on CURL errors.


 

Attachments

    Outcomes