Enabling users for PAM Authentication

The PAM Authentication is performed against the user's IBM® MFA-specific password. Password authentication is a weak authentication method and you must use it in addition to at least one other authentication method.

About this task

To enable users for PAM Authentication, complete the following steps:


  1. In the IBM MFA GUI, click the User Provisioning tab.
  2. Click the plus sign (+) control.
  3. Enter the ID for the user. The ID is the user name associated with the effective client user ID. IBM MFA automatically saves the user ID in lowercase.
  4. Enter the Name for the user. This is a name of your choice.
  5. Enter an MFA password of your choice.
  6. Click Save.
  7. The Policies table shows all of the policies assigned to the user. Click + in the Policies section.
    The All Policies table shows all of the available policies.
  8. Select one or more policies.
    Important: For PAM client authentication, if you do not assign one or more authentication methods, the user is treated as if password fallback is enabled, irrespective of the password fallback setting for that user account. For information about password fallback, see Setting password fallback.
  9. Click Confirm.
    The Authentication Methods table lists the configured authentication methods for the policy.
  10. Select the PAM Authentication authentication method.
  11. Set Active to On for the authentication method.
  12. Click Confirm.
  13. The CTC Failure Count is the number of times a user consecutively fails to provide a valid credential, based on the Max CTC Check Failures Before Suspension setting in Configuring server options. If the user exceeds this limit, the Suspended control it set. You must disable the Suspended control before the user can log in.
  14. Inform users to use the IBM MFA Out-of-Band web server login page that you configured, such as
    where port is the server authentication port you configured and policy-name is the policy the user must use. You may want to have the user bookmark this URL.
  15. When the user visits the IBM MFA Out-of-Band web login page,
    user-specific information about the methods required for the user to log in is displayed. Remind the user to use their MFA password. The MFA password is a special password that allows the user to log in to the IBM MFA server for IBM MFA-specific actions.