Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000037161 - SSH authentication failed for a challenged user with RSA Authentication Manager using REST protocol for RSA Authentication Agent 8.0.x for PAM

Document created by RSA Customer Support

on Mar 1, 2019

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000037161
Applies To	RSA Product Set : SecurID RSA Product/Service Type: Authentication Agent for PAM RSA Version/Condition: 8.0.x Platform : Linux<
Issue	The RSA Authentication Agent 8.0.x for PAM is installed on a supported platform. The RSA Authentication Agent 8.0.x for PAM is installed with REST protocol as a operation method. #OPERATION_MODE :: To enable the agent operating mode choose one of the option. # :: 0 UDP Protocol # :: 1 SID REST Service # :: 2 MFA REST Service # default value is 0 OPERATION_MODE=1 The RSA Authentication Agent for PAM installed with UDP protocol as an operation method works fine when the challenged user logs into the machine through SSH. The challenged user is not prompted for a passcode, but instead is prompted for a password which is not a behavior observed when the agent is installed using the UDP protocol as operation method. After enabling the DEBUG for the REST protocol, the /var/ace/log/mfa_rest.log shows the following error: INFO (../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://am83p.vcloud.local:6666/mfa/v1_1/authn ERROR (../src/ConnectionHandler/ConnectionHandler.cpp:359) - Failed to connect.Curl error code: 60
Cause	The issue is due to an incorrect SSL root certificate from the Authentication Manger primary server being used on the client where the Authentication Agent for PAM is installed. Error - Failed to connect.Curl error code: 60
Resolution	To resolve this issue, follow the steps below: Using the procedure in knowledge article 000036639 - How to export RSA SecurID Access Authentication Manager or Cloud Authentication Service Root Certificate, extract the RSA Authentication Manager primary server root certificate. Copy the generated certificate to any location on the machine where the RSA Authentication Agent for PAM is installed using a secure copy client such as WinSCP. Login as the root user to the Linux server on which the PAM agent is installed. Navigate to /var/ace/conf on the Linux server and edit the mfa_api.properties file, In the example below the certificate is copied to /var/ace: CA_CERT_FILE_PATH=/var/ace/AM84RootCA.cer Open a SSH session and try to authenticate with a challenged user. Enter the RSA passcode at the next prompt and verify that the authentication succeeds. After successful authentication with a passcode, the mfa_rest.log located in directory /var/ace/log shows the following message (../src (../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://am83p.vcloud.local:6666/mfa/v1_1/authn (../src/ConnectionHandler/ConnectionHandler.cpp:425) - Successfully got response! (../src/ConnectionHandler/ConnectionHandler.cpp:444) - The response is {"context":{"authnAttemptId":"53034944-93fd-4163-8401-f3368126c487","messageId":"a05a90fe-417f-47fe-8771-83d281f787ab","inResponseTo":"acd947a0-295f-11e9-8c89-005056011612"},"credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"SUCCESS","methodReasonCode":null,"authnAttributes":[]}],"attemptResponseCode":"SUCCESS","attemptReasonCode":"CREDENTIAL_VERIFIED","challengeMethods":{"challenges":[{"methodSetId":null,"requiredMethods":[]}]}} (../src/auth/MFAVerifyProcessor.cpp:143) - processing response from AM for Verify Request (../src/auth/MFAVerifyProcessor.cpp:240) - completed processing response from AM for Verify Request (../src/auth/AuthnHandler.cpp:61) - Result prompt string: Authentication Success
Notes	See libcurl error codes for detailed information on CURL errors.

Attachments

Outcomes

0 Comments

Recommended Content