Unable to authenticate in new PIN mode
After upgrading from 8.5 to 8.6 and then 8.7, users are unable to authenticate in new PIN mode using Cisco AnyConnect. They input the tokencode, RSA responds by requesting a PIN, the AnyConnect client prompts for PIN and no matter what they input RSA indicates invalid tokencode and the AnyConnect client goes back to requesting a Token code. It initially started after the 8.5 to 8.6 upgrade and to try and resolve I also upgraded to 8.7. As a workaround we have the helpdesk logging in to the self service portal as the user and creating a PIN for the user. We have flushed the cache on each server in our deployment, replication is good, happens regardless of Windows, iPhone or Android token. Currently waiting on Patch1. Just wanted to see if anyone else has this problem or if we found something undiscovered.
Lots of questions:
- Are the AnyConnects using native SecurID or RADIUS?
- If you are using RADIUS, did you do the RADIUS migration precheck before upgrading to 8.6?
- Is verbose RADIUS logging enabled through the Operations Console (see steps below)?
- What are you seeing in the in /opt/rsa/am/radius log files?
- What do your authentication activity logs report?
- Does RADIUS work through a test utility like NTRadPing? Note that NTRadPing does not work on token in New PIN Mode, so you may want to look at our article on how to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing.
To enable verbose logging,
- From the Operations Console, select RADIUS > RADIUS Servers > Manage Existing.
- Click the down arrow next to the primary name then tap the dropdown next to radiusd.conf and select Edit.
- Look for the entry for debug_level=0 and change it to debug_level=2. You can redo these steps after you are done with testing and change from 2 back to 0.
- Click Save and Restart RADIUS Server.
AnyConnect uses SecurID
Do use RADIUS elsewhere but not for this
Authentication Activity Logs report invalid tokencode when trying to create a PIN
Have been told that this issue will be resolved in Patch 1, so currently waiting