A passcode format error received in the Authentication Manager 7.1 or 8.x real time activity monitor is the same as the syntax error from Authentication Manager 6.1. That is, a user is entering fewer characters or more characters than expected for their passcode. For example, if the user's PIN is 1234 and the tokencode is 567890, the server is expecting a passcode of 1234567890. If the user enters 12345678 or 12345678900, the monitor will throw a passcode format error.
- Confirm that the user is entering the correct tokencode or passcode. Note that users with RSA SecurID software tokens may embed their PIN into the tokencode and will enter just six or eight characters when authenticating, rather than the PIN + tokencode.
- Testing authentication with a fixed passcode will rule out time synchronization issues with the token and Authentication Manager server.
If the RADIUS shared secret on the RADIUS client (e. g., Cisco ASA or VPN) and in the RADIUS Client entry on the Authentication Manager server does not match, this will cause all users to fail with the passcode format error or syntax error. If even one user can authenticate against the agent, then the issue is not with the RADIUS shared secret.
If using RADIUS as the authentication protocol, test a simple RADIUS shared secret to rule out this issue issue.
- On the RADIUS client, create a simple shared secret such as 12345.
- From Host Mode or the Security Console, navigate to RADIUS > RADIUS Client and edit the device in question to input the new secret.
- With the authentication activity monitor open, test authentication.
In one support case, users were trying to authenticate with their Active Directory Windows password instead of a SecurID tokencode or passcode.
- Users with assigned tokens got the passcode format error because the expected passcode was not numeric and did not match the number of digits expected by the server.
- Users without an assigned token got a failed to resolve or authenticator not assigned error in the activity monitor. Why users were doing this was a customer training issue, but an alphanumeric password is an incorrectly formatted passcode (numeric - at least the tokencode part).
|Notes||Passcode format errors or syntax errors are shown in the authentication activity monitor when passcodes provided to the Authentication Manager server are not the expected length.|
|Token Type||Mode||Passcode Definition||Input Values||Reason for Passcode Format Error|
|Hardware Token||New PIN Mode||Six characters tokencode on display||Only the six characters displayed on token|
- Input contains more or less than six characters.
| ||PIN Established||PIN value and the tokencode on the display||PIN + Tokencode. For example:|
Pins may be 4-8 characters. Once a PIN is established, input the PIN and tokencode with no spaces. For example, if the PIN is 1234
and the tokencodes is 556677, the input value would be 1234556677.
- Input contains less than 10 or more than 14 characters.
- PIN parameters can be 4-8 characters.
- When a PIN is established regardless of its length. the server would expect 10 - 14 characters.
| ||Next Tokencode Mode||Technically Next Tokencode Mode would be to enter the six characters displayed on the token. SecurID was modified so that the next tokencode value could be either the tokencode or the PIN + tokencode.||Tokencode or PIN + tokencode. For example, if the PIN is 1234 and the tokencode is 556677, the input could be either 1234556677 or 556677.|
- Input contains less than 6 or more than 14 characters.
- PIN parameters can be 4-8 characters.
- When a PIN is established regardless of its length the server would expect 6 - 14 characters.
|Software Token||Passcode display or PINPad type where the PIN is entered into the software token app and then embedded into the passcode||Passcode display or PINPad type||The PIN is entered into the RSA Secur ID software token app, embedded to the tokencode, with no carryover to a ninth digit|
- Both the tokencode and passcode are same length, either six or eight digits