000011731 - Explanation of Successful Authentication followed by Passcode Reuse and Bad tokencode seen in log

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011731
Applies ToUser authentication is denied
In Authentication Activity Log the following log messages are seen
User has not entered the same PIN and tokencode multiple times to authenticate
All RSA Authentication Manager Versions and Patch Levels
IssueExplanation of Successful Authentication followed by Passcode Reuse and Bad tokencode seen in log
Authentication Method success for user is seen
A short period later from the successful authentication (eg within 1 minute) Passcode reuse or previous tokencode detected for the same user
A short period later form the successful authentication Bad Tokencode but good PIN detected for serial number for the token assigned to this user
Authentication Method Failed for user. User is denied access
CauseThe following sequence of events explain why the user access is denied
  1. User enters the correct username and passcode on the authentication agent or radius client
  2. Authentication Agent or Radius client sends this information to Authentication Manager server A
  3. Authentication Manager Server A sees the packet and responds back to the agent with Authentication Success.
  4. Authentication Activity Log shows authentication success for this user
  5. The agent A never receives this reply packet, or it does not receive the packet before the timeout for the next authentication try. For example, if the agent retries communication every 5 seconds, then if the responds has not arrived within 5 seconds, then the next authentication attempt will occur.
  6. As the agent never receives the reply, it then makes another request to either the same or a different server
  7. The Authentication Manager responds to the request. As the passcode has already been used, then authentication is denied. The failure messages are written in the log
  8. Agent receives that access denied reply packet.
ResolutionTake a packet capture on the agent and on the authentication manager server to confirm that packets are correctly being received on the network
This is a network issue and not an issue with RSA Authentication Manager and so the network issues should be investigated.
Legacy Article IDa60212