We are running securid v8.2 Sp1 Patch 3 and Windows agents 7.3.3. We are using challenge groups in AD to identify RSA users with tokens, but we need to identify any user that is trying to authenticate to the servers that does not have a token or is not a member of the challenge groups. Where is this information located and how do we access it?
In both the local Windows Event logs and if you configure verbose logging for the agent 
the trace.log should show who was challenged and who was not.
What Jay said. Enable logging. Then log in with a challenged user, and non challenged user.
You will see (in one of the logs) where the agent logic is checking to see if user is challenged or not
some things to look at/look for...
SIDAuthenticator(LogonUI).log
SIDCredentialProvider(LogonUI).log
some words to look for
challengeGroup is: .\Remote Desktop Users
userLocation: USER_NOT_IN_GROUP
getChallengeType has determined that the user is challenged.
The Challenge Mode policy is ChallengeAllExcept
challengeType = DO_NOT_CHALLENGE_USER
getChallengeType has determined that the user is not challenged.
look for userid's that correspond to challenge or no challenge
In both the local Windows Event logs and if you configure verbose logging for the agent
the trace.log should show who was challenged and who was not.