This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Explanation of successful authentication followed by passcode reuse and bad tokencode messages in RSA Authentication Manager authentication activity log

Article Number

000011731

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager

Issue

This article provides an explanation of why a user would get a successful authentication followed by passcode reuse and bad tokencode messages in the authentication activity log.
  • Authentication Method success for user is seen
  • A short time after the successful authentication (within one minute) messages are seen for passcode reuse or previous tokencode detected for the same user.
  • A short time after the successful authentication the message Bad Tokencode but good PIN detected is shown for the token assigned to this user.
  • The user has not entered the same PIN and tokencode multiple times to authenticate.
  • The user sees the message Authentication Method Failed and the user is denied access.
  • User authentication is denied.
  • In Authentication Activity Log the following log messages are seen.
  • User has not entered the same PIN and tokencode multiple times to authenticate.

Cause

The following sequence of events explains why the user access is denied:
  1. The user enters the correct username and passcode on the authentication agent or RADIUS client.
  2. The authentication agent or RADIUS client sends this information to Authentication Manager server A.
  3. Authentication Manager server A sees the packet and responds back to the agent with Authentication Success.
  4. The Authentication Activity Log shows authentication success for this user.
  5. Authentication Agent A never receives this reply packet, or it does not receive the packet before the timeout for the next authentication try. For example, if the agent retries communication every five seconds, then if the response has not arrived within five seconds, then the next authentication attempt will occur.
  6. As the agent never receives the reply, it then makes another request which goes to either the same server or a different server.
  7. The Authentication Manager responds to the request. As the passcode has already been used, the second authentication request is denied. The failure messages are written in the log.
  8. The agent receives the access denied reply packet.

If the client response delay is set to a large number (>6) the same behavior may happen, as the client may timeout and resend the authentication request, while the RSA server still waiting due to increasing the response delay.

 
To edit this value:
  1. Login the Security Console as a super admin.
  2. Navigate to Setup > System Settings  > Agents.
  3. Edit the client response delay value.  By default the value is set to two seconds.

Resolution

  • Take a packet capture on the agent and on the RSA Authentication Manager server to confirm that packets are correctly being received on the network.
  • This is a network issue and not an issue with RSA Authentication Manager if the client response delay is correct and so the network issues should be investigated.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:54 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.