We have an RSA SecurID environment consisting of two RSA Authentication Manager (AM) 8.2.1 VMs (Primary and Replica) and utilize the RSA Cloud Service, so have two Identity Routers (IDR).
Users use a mix of RSA SecurID physical tokens and the new MFA tokens. Users log on to existing remote access services via Authentication Manager. Users log on to new remote access services via the IDRs/Cloud Service. We have just starting pushing people to use their smartphone and MFA tokens to reduce the amount of physical tokens. We have integrated AM and IDR to provide backward and forward compatibility which works fine. We rolled out 200 MFA tokens recently to users with physical tokens who were expiring. 95% of users have had no issue registering the RSA SecurID Authenticate App with our company and authenticating using the existing or new remote access services using the MFA token (using the tokencode method). However we have a few users, who have registered successfully, but can't authenticate to an existing remote access service (via AM).
The flow is, User to RADIUS Client, RADIUS Client to RSA Authentication Manager, AM to IDR to authenticate the MFA token. However RSA Authentication Manager just says "Authenticated Method Failed". The user has an MFA token assigned to their AM profile because the majority of users registered and logged on to the existing remote access service before their physical token expired. User who didn't were manually assigned an MFA token via the AM CLI. The users with issues are not locked out in active directory and have an MFA token assigned. I have tried asking the user to delete the RSA SecurID authenticate app and re-enrolling or just deleting the company within the app. I have tried adding a new physical token to them to see if it was because they registered after their physical token expired, no change. The problem is the error has no details and the majority of users work fine. The fix to date has been to provide these few users with physical tokens, but we are looking to move away from physical tokens to MFA tokens so we need to resolve the underlying issue.