1. When a user whose token is in new PIN mode authenticates from a RADIUS client, the authentication fails with the messages below in the real-time authentication activity monitor:
New PIN cancelled for user and request originated from agent messages when authenticating.
"New PIN cancelled for user" and "request originated from agent"
Real time authentication activity report has an entry in the Description column of "New PIN cancelled for user "<user name>". Request originated from agent "<agent_FQDN>" with IP address "<IP_address>" in security domain "<security_domain>"
Real time authentication activity report has an entry in the Reason column as: N/A
2. The Authentication Manager token policy is configured to require a system-generated PIN (Authentication > Policies > Token Policies > Manage Existing). Image description
3. If the Authentication Manager SecurID PIN format is configured for user-generated PINs in the RSA token policy, the issue is not seen. 4. The user successfully authenticates from the RADIUS client with the user-generated PIN.
To allow system-generated PINs, follow the steps below:
1. Login to the Operations Console on the RSA Authentication Manager instance hosting the RADIUS server. 2. Click Deployment Configuration > RADIUS Servers. 3. If prompted, enter the Super Admin user ID and password, and click OK. 4. Select the RADIUS server hosted on this instance, and select Manage Server Files from the context menu. Image description
5. Select securid.ini and click Edit. Image description 6. Navigate to the SecurID General options section in the file. Image description
7. Change ;AllowSystemPins = 0 to AllowSystemPins = 1 (Remove the ";" to uncomment the line and change the value from 0 to 1) 8. When done, click Save and Restart RADIUS Server. 9. The user will now be able to successfully authenticates from the RADIUS client with the system-generated PIN.
Changes made to the securid.ini file on one RADIUS server are not automatically replicated to other RADIUS servers in the deployment. You must manually edit the securid.ini files of each RADIUS replica server in the deployment.