Authentication error for a challenged user with RSA Authentication Manager using REST protocol for RSA Authentication Agent 8.x for PAM
2 years ago
Originally Published: 2019-06-21
Article Number
000040944
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 8.x
Platform: Linux
Issue
The RSA Authentication Agent 8.x for PAM is installed on a supported platform with REST protocol as a operation method and the SSH service is configured to be challenged with RSA passcode.
  • When the challenged users trying logging into the machine through SSH they are getting below error.
User-added image
  • After enabling the DEBUG for the REST protocol, the /var/ace/log/mfa_rest.log shows either of following errors:
INFO (../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://amv84p.example.com:5555/mfa/v1_1/authn
ERROR (../src/ConnectionHandler/ConnectionHandler.cpp:359) - Failed to connect.Curl error code: 6
 
or 
 
INFO (../src/ConnectionHandler/ConnectionHandler.cpp:355) - Connecting to Server: https://amv84p.example.com:5555/mfa/v1_1/authn
ERROR (../src/ConnectionHandler/ConnectionHandler.cpp:359) - Failed to connect.Curl error code: 28
 
Cause

Curl error code 6

The error displays on the machine where the Authentication Agent for PAM is installed when the agent is unable to resolve the Authentication Manager server hostname.
 

Curl error code 28

The error displays on the machine where the Authentication Agent for PAM is installed when the agent is not able get the authentication response from the Authentication Manager servers before it timeouts.
 
Resolution
Follow the steps outlined below to resolve the issues.
 

For Curl error code 6

  1. In client system, where pam agent is installed, Login as root user and edit hosts file. Run below command for that.
vi /etc/hosts
  1. Enter the IP addresses and fully qualified domain names of the primary and replica Authentication Manager servers.  For example, 
192.168.1.10 amv84p.example.com #AM primary
102.168.1.11 amv84r.example.com #AM replica
  1. Save the changes.
  2. Open an SSH session and try to authenticate with a challenged user. This time it will prompt for passcode.
  3. Enter the RSA passcode and verify that the authentication succeeds.



For Curl error code 28

  1. On a client system, where the Authentication Agent for PAM is installed, login as the root user.
  2. Navigate to /var/ace/conf on the Linux server and edit the mfa_api.properties file.
  3. Change the CONNECT_TIMEOUT value to 120 and the READ_TIMEOUT value to 160.
  4. Save and close the file.
  5. Open an SSH session and try to authenticate with a challenged user. This time it will prompt for passcode.
  6. Enter the RSA passcode and verify that the authentication succeeds.
Don't see what you're looking for?