New PIN Mode and Next Tokencode Mode always result in a failure when using Cisco clients after the recent upgrade to ASA 9.1.7. After the upgrade:
- Users are unable to set PINs for tokens.
- Authentication failures when the next tokencode is entered.
The error shows on the Authentication Manager real-time activity monitor as follows:
Passcode format error and authentication failure
On the Cisco client, the error is:
Session operation failure processing request from agent
This is Cisco bug
CSCuy89425 (AAA: RSA/SDI unable to set new PIN), and it occurs with the RSA SecurID_Native protocol.
Possible workarounds include:
- Switch to RADIUS protocol (as per the RSA SecurID Access Implementation Guide for the Cisco Adaptive Security Appliance (ASA).
- Authenticate from the Self-Service Console when a token is in New PIN Mode or Next Tokencode Mode.
For more details on how to resolve the issue for a Cisco VPN client or iPhone, review documentation for
CSCuy89425 (AAA: RSA/SDI unable to set new PIN).