On the token policy page there is an option to Require System-generated PIN. This works when generating a new PIN through standard agents. However you will get the following error in the Authentication Activity Monitor when trying to set a new PIN with RADIUS protocol:
New PIN cancelled for user
For a RADIUS client, in addition to enabling the System-generated PIN option in the token policy, you need also manually edit the securid.ini file and change the AllowSystemPins value to AllowSystemPins = 1.
You can edit this file from Operations Console by navigating to Deployment Configuration > RADIUS Server or you can edit /opt/rsa/am/radius/securid.ini via SSH.
From the UI
Login to the primary Authentication Manager Operations Console.