000011731 - Explanation of successful authentication followed by passcode reuse and bad tokencode messages in RSA Authentication Manager authentication activity log

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on May 26, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000011731
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
IssueThis article provides an explanation of why a user would get a successful authentication followed by passcode reuse and bad tokencode messages in the authentication activity log.
  • Authentication Method success for user is seen
  • A short time after the successful authentication (within one minute) messages are seen for passcode reuse or previous tokencode detected for the same user.
  • A short time after the successful authentication the message Bad Tokencode but good PIN detected is shown for the token assigned to this user.
  • The user has not entered the same PIN and tokencode multiple times to authenticate.
  • The user sees the message Authentication Method Failed and the user is denied access.
  • User authentication is denied.
  • In Authentication Activity Log the following log messages are seen.
  • User has not entered the same PIN and tokencode multiple times to authenticate.
CauseThe following sequence of events explains why the user access is denied:
  1. The user enters the correct username and passcode on the authentication agent or RADIUS client.
  2. The authentication agent or RADIUS client sends this information to Authentication Manager server A.
  3. Authentication Manager server A sees the packet and responds back to the agent with Authentication Success.
  4. The Authentication Activity Log shows authentication success for this user.
  5. Authentication Agent A never receives this reply packet, or it does not receive the packet before the timeout for the next authentication try. For example, if the agent retries communication every five seconds, then if the response has not arrived within five seconds, then the next authentication attempt will occur.
  6. As the agent never receives the reply, it then makes another request which goes to either the same server or a different server.
  7. The Authentication Manager responds to the request. As the passcode has already been used, the second authentication request is denied. The failure messages are written in the log.
  8. The agent receives the access denied reply packet.

If the client response delay is set to a large number (>6) the same behavior may happen, as the client may timeout and resend the authentication request, while the RSA server still waiting due to increasing the response delay.

To edit this value:
  1. Login the Security Console as a super admin.
  2. Navigate to Setup > System Settings  > Agents.
  3. Edit the client response delay value.  By default the value is set to two seconds.
  • Take a packet capture on the agent and on the RSA Authentication Manager server to confirm that packets are correctly being received on the network.
  • This is a network issue and not an issue with RSA Authentication Manager if the client response delay is correct and so the network issues should be investigated.
Legacy Article IDa60212