000032866 - New PIN Mode and Next Tokencode Mode fail after Cisco ASA upgrade to 9.1.7 in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 8, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000032866
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform (Other): Cisco ASA 
O/S Version: ASA 9.1.7
IssueNew PIN Mode and Next Tokencode Mode always result in a failure when using Cisco clients after the recent upgrade to ASA 9.1.7.  After the upgrade:
  • Users are unable to set PINs for tokens.
  • Authentication failures when the next tokencode is entered.
The error shows on the Authentication Manager real-time activity monitor as follows:

Passcode format error and authentication failure

On the Cisco client, the error is:

Session operation failure processing request from agent

ResolutionThis is Cisco bug CSCuy89425 (AAA: RSA/SDI unable to set new PIN), and it occurs with the RSA SecurID_Native protocol. 

Possible workarounds include:

  1. Switch to RADIUS protocol (as per the RSA SecurID Access Implementation Guide for the Cisco Adaptive Security Appliance (ASA)
  2. Authenticate from the Self-Service Console when a token is in New PIN Mode or Next Tokencode Mode.
For more details on how to resolve the issue for a Cisco VPN client or iPhone, review documentation for CSCuy89425 (AAA: RSA/SDI unable to set new PIN).