How to configure an RSA Authentication Manager 8.1 server to accept a system-generated PIN when a token is in new PIN mode when a user authenticates from a RADIUS client
3 years ago
Originally Published: 2016-03-07
Article Number
000056562
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1, 7.1
Issue
1.  When a user whose token is in new PIN mode authenticates from a RADIUS client, the authentication fails with the messages below in the real-time authentication activity monitor:
  • New PIN cancelled for user and request originated from agent messages when authenticating.
  • "New PIN cancelled for user" and "request originated from agent"
  • Real time authentication activity report has an entry in the Description column of "New PIN cancelled for user "<user name>". Request originated from agent "<agent_FQDN>" with IP address "<IP_address>" in security domain "<security_domain>"
  • Real time authentication activity report has an entry in the Reason column as: N/A

2.  The Authentication Manager token policy is configured to require a system-generated PIN (Authentication > Policies > Token Policies > Manage Existing).
User-added image

3.  If the Authentication Manager SecurID PIN format is configured for user-generated PINs in the RSA token policy, the issue is not seen.
4.  The user successfully authenticates from the RADIUS client with the user-generated PIN.
Resolution
To allow system-generated PINs, follow the steps below:

1.  Login to the Operations Console on the RSA Authentication Manager instance hosting the RADIUS server.
2.  Click Deployment Configuration > RADIUS Servers.
3.  If prompted, enter the Super Admin user ID and password, and click OK.
4.  Select the RADIUS server hosted on this instance, and select Manage Server Files from the context menu.
User-added image

5.  Select securid.ini and click Edit.
User-added image
6.  Navigate to the SecurID General options section in the file.
User-added image

7.  Change ;AllowSystemPins = 0 to AllowSystemPins = 1 (Remove the ";" to uncomment the line and change the value from 0 to 1)
8.  When done, click Save and Restart RADIUS Server.
9.  The user will now be able to successfully authenticates from the RADIUS client with the system-generated PIN.

 
Notes
  • Changes made to the securid.ini file on one RADIUS server are not automatically replicated to other RADIUS servers in the deployment.  You must manually edit the securid.ini files of each RADIUS replica server in the deployment.
  • For more information on the securid.ini file, see page 30 of the RSA Authentication Manager 8.1 RADIUS Reference Guide.

Related Articles

Trending Articles

Don't see what you're looking for?