RSA Product Set: SecurID
RSA Product/Service Type: RSA MFA Agent 2.x
RSA Version/Condition: 2.x

 

After enabling the Offline Authentication policy in RSA Authentication Manager 8.x, the RSA MFA Agent 2.x does not download or update the configured offline authentication days on the Windows endpoint. As a result, users are unable to authenticate while the machine is offline, despite offline authentication being enabled and the appropriate policy correctly assigned.

• The Authentication Activity Monitor displays the following error message:

 Offline Authentication Data Download Failed

• The Associated Activity Key and Description are:

Offline Authentication data download requested by user <user ID> from agent <agent name> using token <token serial number> failed with error message: “Failed to send day data.”

• Additionally, on the Windows machine where the MFA Agent is installed, the C:\ProgramData\RSA\OfflineData folder is not created or populated, even when Offline Authentication is expected to be enabled through Group Policy.

• The Minimum Passcode Length configured in Authentication Manager does not match the value specified in the Offline Authentication Policy.
• The appropriate authenticators are not selected in the Offline Authentication Policy.
• The appropriate code types are not selected in the Offline Authentication Policy.

To resolve this issue, verify and update the Offline Authentication Policy settings as follows:

1. Login to the RSA Authentication Manager 8.x primary server’s Security Console as a super admin user.
2. Select Authentication > Policies > Offline Authentication Policy > Manage Existing.
3. Determine if the Offline Authentication Policy which has been selected is the default policy.
4. Edit the default policy by clicking on the drop down next to the policy and clicking Edit.
5. Under Offline Authentication Security Settings, select the following options:
   1. Set the Minimum Passcode Length to 8 characters in length.
   2. Under Allow Offline Authentication Using, select the following options
      1. PINPad or Software Token
      2. PIN-less Token (doesn't require SecurID PIN)
6. Under Offline Emergency Codes, ensure to select the below options in the Code Types:
   1. Offline Emergency Tokencodes
   2. Offline Emergency Passcodes
7. Other settings can be left as the defaults or modified based on the requirement.
8. Click Save.
9. Try to authenticate and the offline days will download successfully

Verification:

After updating the Offline Authentication Policy and performing a successful online authentication, verify that offline authentication data has been downloaded correctly:

• On the Windows endpoint where the RSA MFA Agent is installed, navigate to: 

C:\ProgramData\RSA\

• Confirm that the OfflineData folder has been created and contains offline authentication files.
• Open the Authentication Activity Monitor in RSA Authentication Manager and verify that no new "Offline Authentication Data Download Failed" events are generated for the affected user.
• Review the user's recent authentication activity and confirm that the offline data download completed successfully.
• Disconnect the endpoint from the network and perform a test offline authentication using the configured offline authentication method.
• Verify that the user can successfully log in while offline and that the configured number of offline authentication days is available on the endpoint.

Security Console:

You need an offline policy that allows users to download offline days (Authentication > Policies > Offline Authentication Policies > Add New | Manage Existing)
 

If you configure a minimum passcode length greater than 8 digits and are using PINPad-style software tokens (where the PIN is combined with the tokencode inside the RSA SecurID software token app), you may run into an issue if PINPad mode is not enabled. In that case, users will not be able to create passcodes longer than 8 digits, and authentication will fail because the system will never accept a passcode exceeding 8 digits. 

You should also confirm that the correct “good” policy is assigned to the user who is unable to download offline days.

Verification:

1. Go to Identity > Users > Manage Existing.
2. Locate the user, then right-click their account to view the available options and review the applied policy settings.

3. Please verify that the intended offline policy is actually assigned to the user. In some cases, the policy is configured at the top-level security domain, while the user belongs to a subdomain where a different policy is applied, which may override or prevent the expected behavior.