RSA PIN Change Self-Service Portal
We have historically used Citrix and RSA tokens to VPN into our network. We are decommissioning Citrix this year, and moving to a Barracuda client VPN. All you have to do to connect is enter in your RSA token into the VPN client, and it'll connect you. However, what if you are new and don't have a PIN? How do new users create a PIN for their newly assigned RSA token?
This led me to the self-service portal. Is it possible to meet this requirement with the self-service portal?
If so, I was hoping to connect the portal to AD for seamless logins. However, from what I read you have to use manually created users in the internal database. Is this true?
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- Self Service Portal
I've moved your question to the RSA SecurID Access" data-type="space space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A QuestionRSA SecurID Access" data-type="space <product name> on the blue navigation bar and choose . From there, scroll to and click Ask A Question. That way your question will appear in the correct space.
Barracuda should be able to handle the 3-way handshake when a user logs in with a tokencode and that token needs a pin, but doesn't have one yet, and the user can create a pin during the VPN login process, as the RSA server will ask the Barracuda to prompt the user for a pin. If not, the user can access the self-service console and do a passcode login, and the same pin setup can happen there. Typically when setting a new pin it goes like this: username and code from token, then it asks to set up a pin, then confirm pin, then it asks now enter next passcode. What this now means is wait for the token to change to a new code, and now enter the new pin followed by the new code on token.
Terminology we use: 'Tokencode' is the code from a token with no pin involved. 'Passcode' means pin combined with the code from a token. Most login prompts will ask for the passcode but the user should know if they don't have a pin yet, just enter the tokencode when needed, and a full passcode once there is a pin set.
Handheld tokens are always pin+tokencode displayed. Software tokens, if set up keyfob style, work the same way, but if software tokens are set up pin-pad style, then it works a bit differently. Pin-pad tokens always ask to enter a pin into the application, if there is no pin yet, just enter nothing, and it displays a tokencode. Login with that code, and go through the pin setup. Now when the login asks for a passcode, you enter the pin into the software token app (not the login prompt) and the app will add the pin to the tokencode it would have displayed, and show you a passcode (and it will be the same number of digits as the tokencode). The pin is mathematically hidden inside the digits. Login with that passcode.
To add to Edward Davis' great description of the PIN creation process, note a difference between hardware tokens and software tokens:
- Hardware tokens can have a PIN that starts with a zero; 01234567, for example.
- With software tokens, PINs cannot start with a leading zero.
Thank you for the detailed response!
Self-service portals works great.
The Barracuda VPN is close to working but unfortunately does not. It recognizes that a user does not have a PIN, and will prompt the user to create a PIN but doesn't actually set it. Any ideas?
You would need to provide the authentication activity logs in order for the SecurID team to troubleshoot your issue.
- From the Security Console, navigate to Reporting > Reports > Add New.
- Select the Authentication Activity Template and click Next. your report, following the wizard. Click Save when done.
- On the next page, click on the context arrow next to your report name and select Run Report Job Now.
- Click Run Report.
- On the Report Output page, click Completed. Your report should be listed there. If not, click Refresh List.
- Click on the context arrow next to the report and choose Download CSV file.
- Save the file locally and provide it to the engineer assigned to your case.