This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
MuradWatson1
Contributor
Contributor
ā€Ž2022-09-28 02:53 PM

Unable to authenticate in new PIN mode

After upgrading from 8.5 to 8.6 and then 8.7, users are unable to authenticate in new PIN mode using Cisco AnyConnect. They input the tokencode, RSA responds by requesting a PIN, the AnyConnect client prompts for PIN and no matter what they input RSA indicates invalid tokencode and the AnyConnect client goes back to requesting a Token code. It initially started after the 8.5 to 8.6 upgrade and to try and resolve I also upgraded to 8.7. As a workaround we have the helpdesk logging in to the self service portal as the user and creating a PIN for the user. We have flushed the cache on each server in our deployment, replication is good, happens regardless of Windows, iPhone or Android token. Currently waiting on Patch1. Just wanted to see if anyone else has this problem or if we found something undiscovered. 

0 Likes
Reply
2 Replies
EricaChalfin
Moderator Moderator
Moderator
ā€Ž2022-09-28 07:12 PM

@MuradWatson1,

Lots of questions:

  • Are the AnyConnects using native SecurID or RADIUS?
  • If you are using RADIUS, did you do the RADIUS migration precheck before upgrading to 8.6?
  • Is verbose RADIUS logging enabled through the Operations Console (see steps below)?
  • What are you seeing in the in /opt/rsa/am/radius log files?
  • What do your authentication activity logs report?
  • Does RADIUS work through a test utility like NTRadPing? Note that NTRadPing does not work on token in New PIN Mode, so you may want to look at our article on how to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing.

To enable verbose logging, 

  1. From the Operations Console, select RADIUS > RADIUS Servers > Manage Existing.
  2. Click the down arrow next to the primary name then tap the dropdown next to radiusd.conf and select Edit.
  3. Look for the entry for debug_level=0 and change it to debug_level=2. You can redo these steps after you are done with testing and change from 2 back to 0.
  4. Click Save and Restart RADIUS Server.

Best regards,
Erica
0 Likes
Reply
MuradWatson1
Contributor
Contributor
ā€Ž2022-10-03 12:26 PM

AnyConnect uses SecurID
Do use RADIUS elsewhere but not for this
Authentication Activity Logs report invalid tokencode when trying to create a PIN
Have been told that this issue will be resolved in Patch 1, so currently waiting

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.