This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Enable system-generated PINs for RADIUS in RSA Authentication Manager 8.x

Article Number

000032279

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

 

Issue

On the token policy page there is an option to Require System-generated PIN. This works when generating a new PIN through standard agents. However you will get the following error in the Authentication Activity Monitor when trying to set a new PIN with RADIUS protocol:
 
New PIN cancelled for user

Resolution

For a RADIUS client, in addition to enabling the System-generated PIN option in the token policy, you need also manually edit the securid.ini file and change the AllowSystemPins value to AllowSystemPins = 1.

You can edit this file from Operations Console by navigating to Deployment Configuration > RADIUS Server or you can edit /opt/rsa/am/radius/securid.ini via SSH. 

From the UI

  1. Login to the primary Authentication Manager Operations Console.
  2. Select Deployment Configuration > RADIUS Servers Edit RADIUS Server.
  3. Click the drop down arrow on the primary Authentication Manager server and choose Manage Server Files.
  4. Click on the drop down arrow next to the securid.ini file and choose Edit
  5. Look for AllowSystemPins = 0
  6. If the line is commented out with a semicolon, remove the semicolon.
  7. Change the 0 to a 1.
  8. When done, click Save & Restart RADIUS Server.  This restart allows the change to take effect.
  9. From the primary's Operations Console, repeat steps 1 - 8 for each replica.

From an SSH session

  1. Using 000038244 - SSH to an RSA Authentication Manager server, connect to the primary RSA Authentication Manager server.
  2. Login to the primary server:

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Dec 18 16:39:41 2019 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
  1. Navigate to /opt/rsa/am/radius/securid.ini.
  2. Open the securid.ini file in a text editor:

rsaadmin@am84p:/opt/rsa/am/utils> cd /opt/rsa/am/radius
rsaadmin@am84p:/opt/rsa/am/radius> vi securid.ini
  1. Search for the text of AllowSystemPins = 0
  2. Press i to enter Insert mode.
  3. If the line is commented out with a semicolon, remove the semicolon.
  4. Change the 0 to a 1.
  5. Press Esc then type :wq! to save changes and close the file.
  6. Navigate to /opt/rsa/am/server:

rsaadmin@am84p:/opt/rsa/am/utils> cd /opt/rsa/am/server
  1. Restart the RADIUS server for the change to take effect:

rsaadmin@am84p:/opt/rsa/am/server> ./rsaserv restart radius
  1. Open an SSH session to each replica and repeat steps 1 - 8.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 09:51 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.