Unexpected additional authentication methods displayed by the RSA MFA Agent or a custom RSA Authentication API client
a year ago
Article Number
000072084
Applies To
RSA ID Plus
RSA Cloud Authentication Service
RSA MFA Agent for ADFS v3.0 and earlier
RSA MFA Agent for Citrix StoreFront v3.0 and earlier
RSA MFA Agent for Epic Hyperdrive v2.0 and earlier
RSA MFA Agent for macOS v1.4.2 and earlier
RSA MFA Agent for PAM (all platforms) v9.0 and earlier
RSA MFA Agent for Windows v2.3.1 and earlier

 
Issue
The user is authenticating with an RSA MFA Agent or a custom RSA Authentication API client that is configured to connect either directly to the RSA Cloud Authentication Service, or indirectly to the Cloud Authentication Service using RSA Authentication Manager as a secure proxy.

The connection from the MFA Agent or custom client to the Cloud Authentication Service is online.

The MFA Agent or custom client supports only 1.0 Access Policies.

An Access Policy has been configured in the MFA Agent or custom client.

The user is able to complete primary authentication successfully, but the available additional authentication methods are incorrect according to the Rule Sets page of the Access Policy.  Either:
  • The list of additional authentication methods does not match the Assurance Level configured on the Access Policy's Rule Sets page, or
  • The Access Policy is configured not to prompt the user for additional authentication, but they are being prompted for it, or
  • The user is registered for at least one of the additional authentication methods in the Assurance Level that should have been applied, but additional authentication fails because the user is not registered for any of the available methods, or
  • When using a custom client, an unexpected list of challengeMethods is received in the AuthNResponse from the server.
Cause
The Access Policy configured for the MFA Agent or custom client is a 2.0 policy with authentication methods configured on the Primary Authentication tab.
The Agent is prompting the user for additional authentication with the option to use one or more of the methods listed on the Access Policy's Primary Authentication tab.
This is expected behaviour when an MFA Agent or custom client that expects a 1.0 Access Policy, is configured with a 2.0 Access Policy.
Resolution
Do one of the following:
  • Modify the MFA Agent configuration to configure a 1.0 Access Policy, or
  • In the Cloud Administration Console, edit the Access Policy that the MFA Agent is using to change it to a 1.0 policy.  To do that:  on the Primary Authentication tab of the policy, set it to Disable primary authentication.
1.0 Access Policy example
 
Notes
  • A 1.0 Access Policy is one which has Primary Authentication disabled
  • A 2.0 Access Policy is one which has Primary Authentication enabled
  • At the time of writing this article, all MFA Agent versions support only 1.0 Access Policies.  If you have a later MFA Agent version than what is listed in this Knowledgebase article, check the documentation for your RSA MFA Agent type and version to determine if it supports a 1.0 or 2.0 Access Policy.

Related Articles

Trending Articles

Don't see what you're looking for?