Restricted Authentication Agents Attributes Question
Our organization shut down a website that was used not only to Auth users with PINs and Tokens to gain access to it, but also to set up new users PINs for Tokens for those that do not have a company laptop with Cisco AnyConnect installed.
We use RSA on some internal servers that can be reached by some third parties outside of our organization whom I usually direct to that public website to set their PIN, then they can reach our server and gain access.
I was wondering if, when these third party users hit our Resticted Agent Server's RSA prompt, if they could set their PIN there?
When I look at the differences between our public site Restricted Agent (which prompts to set the PIN) and our internal Restricted Agents that the third party can get to, the only difference I see is the "Type".
Web Agent vs Standard Agent
I'm just wondering if it's possible for the Standard Agent to prompt for PIN setting like the Web Agent does.
Any standard agent should be able to handle taking the user through New PIN mode. If the token is in new PIN mode, the end-user enters their tokencode and the server challenges them to provide a new PIN and re-enter the PIN. At this point, the user should have had their PIN accepted. The user is then required to perform a complete authentication using their PIN prior to being granted access. All "RSA Ready" agent implementation are capable of completing this exchange.
This can require some education for users. For example, the user enters a PIN of all zeros to get the tokencode for "Add PIN" tokens (i.e. software tokens). For hardware tokens, they simply enter the number being displayed on the token.