000027533 - Passcode format error or syntax error when authenticating to an agent or VPN with an RSA SecurID token

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027533
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 2.0, 3.0. 6.x, 7.1, 8.x
IssueThe Authentication Activity monitor is reporting one of the following errors for users when authenticating from an RSA Authentication Agent or VPN client to RSA Authentication Manager versions 6.x, 7.x and 8.x, including the RSA SecurID Appliance 2.0 and 3.0:
  • Passcode format error
  • Syntax error
Two possibilities on configuration:
  • Native SecurID UDP port 5500 UDP (aka SDI on Cisco), or
  • RADIUS port 1812 UDP or 1645 UDP

General Troubleshooting

A passcode format error received in the Authentication Manager 7.1  or 8.x real time activity monitor is the same as the syntax error from Authentication Manager 6.1. That is, a user is entering fewer characters or more characters than expected for their passcode.  For example, if the user's PIN is 1234 and the tokencode is 567890, the server is expecting a passcode of 1234567890.  If the user enters 12345678 or 12345678900, the monitor will throw a passcode format error.  
To troubleshoot,

  • Confirm that the user is entering the correct tokencode or passcode.  Note that users with RSA SecurID software tokens may embed their PIN into the tokencode and will enter just six or eight characters when authenticating, rather than the PIN + tokencode.
  • Testing authentication with a fixed passcode will rule out time synchronization issues with the token and Authentication Manager server.

RADIUS Troubleshooting

If the RADIUS shared secret on the RADIUS client (e. g., Cisco ASA or VPN) and in the RADIUS Client entry on the Authentication Manager server does not match, this will cause all users to fail with the passcode format error or syntax error.  If even one user can authenticate against the agent, then the issue is not with the RADIUS shared secret.
If using RADIUS as the authentication protocol, test a simple RADIUS shared secret to rule out this issue issue.  

  1. On the RADIUS client, create a simple shared secret such as 12345.  
  2. From Host Mode or the Security Console, navigate to RADIUS > RADIUS Client and edit the device in question to input the new secret.  
  3. With the authentication activity monitor open, test authentication.

In one support case, users were trying to authenticate with their Active Directory Windows password instead of a SecurID tokencode or passcode.

  • Users with assigned tokens got the passcode format error because the expected passcode was not numeric and did not match the number of digits expected by the server.
  • Users without an assigned token got a failed to resolve or authenticator not assigned error in the activity monitor.  Why users were doing this was a customer training issue, but an alphanumeric password is an incorrectly formatted passcode (numeric - at least the tokencode part).
NotesPasscode format errors or syntax errors are shown in the authentication activity monitor when passcodes provided to the Authentication Manager server are not the expected length.


Token TypeModePasscode DefinitionInput ValuesReason for Passcode Format Error
Hardware TokenNew PIN ModeSix characters tokencode on displayOnly the six characters displayed on token
  • Input contains more or less than six characters.
 PIN EstablishedPIN value and the tokencode on the displayPIN + Tokencode. For example:
   Pins may be 4-8 characters. Once a PIN is established, input the PIN and tokencode with no spaces. For example, if the PIN is 1234
   and the tokencodes is 556677, the input value would be 1234556677.

  • Input contains less than 10 or more than 14 characters.
  • PIN parameters can be 4-8 characters.
  • When a PIN is established regardless of its length. the server would expect 10 - 14 characters.
 Next Tokencode ModeTechnically Next Tokencode Mode would be to enter the six characters displayed on the token. SecurID was modified so that the next tokencode value could be either the tokencode or the PIN + tokencode.Tokencode or PIN + tokencode.  For example, if the PIN is 1234 and the tokencode is 556677, the input could be either 1234556677 or 556677.

  • Input contains less than 6 or more than 14 characters.
  • PIN parameters can be 4-8 characters.
  • When a PIN is established regardless of its length the server would expect 6 - 14 characters.
Software TokenPasscode display or PINPad type where the PIN is entered into the software token app and then embedded into the passcodePasscode display or PINPad typeThe PIN is entered into the RSA Secur ID software token app, embedded to the tokencode, with no carryover to a ninth digit
  • Both the tokencode and passcode are same length, either six or eight digits

Legacy Article IDa43164