Hello,

we are trying to setup the PIN authentication on RSA Authentication Manager 8.6

Authentication via username/password works but when PIN authentication is enabled, clients are not able to set the PIN via VPN.
VPN client is SonicWall NetExtender and when the client is prompted to setup the new PIN the client displays the error "Login failed/Incorrect username/password" while the RADIUS logs shows "Login incorrect".

Now, we made a packet capture of the traffic between the firewall and the radius server:
- radius sends the packet to ask the client to create the new PIN

the answer to that packet is

and then the radius server sends the authentication failure.

The State field is used to assign the RADIUS transactions and must match the State field of the previous access challenge exactly for the 2nd access request: https://community.rsa.com/t5/securid-access-knowledge-base/how-to-set-pins-and-navigate-next-tokencode-mode-for-rsa-securid/ta-p/7280 This is not the case with us, apparently the VPN client cuts off here after 66 bytes.

My question is: when the new PIN is set what the Radius server excepts to receive from the client?
I have already addressed the issue to SonicWall but I would like to know what Radius needs when the new PIN is set.
Also, is there a way to get more logs from the radius server regarding this issue?

Thank you.

Fab