Manage User Authentication Settings

User authentication settings allow you to create exceptions to authentication policies for individual users. These settings also allow you to troubleshoot user authentication issues.

Before you begin

You must have a restricted or unrestricted agent. If you plan to configure a logon alias, the user must belong to a user group that has access to a restricted agent or has been enabled on an unrestricted agent.


  1. In the Security Console, click Identity > Users > Manage Existing.

  2. Use the search fields to find the user that you want to manage.

  3. From the search results, click the user that you want to manage.

  4. From the context menu, click Authentication Settings.

  5. If you want to assign a fixed passcode to the user, select the Fixed Passcode checkbox.

    RSA recommends that you do not use fixed passcodes because they eliminate all the advantages of two-factor authentication.

  6. Select the Clear Incorrect Passcodes checkbox to clear any incorrect passcodes. The count of incorrect passcodes is reset, and the user is not prompted for the next tokencode. The system also clears this count automatically with each correct passcode. However, if the user continues to enter incorrect passcodes and exceeds the number of failed logon attempts allowed by the lockout policy, the user is locked out of the system.

    This operation only clears the existing count. To clear future counts, you must perform the procedure again.

  7. Select Clear cached copy of selected user's Windows credential to clear a cached version of a user's password.

    If your deployment uses SecurID for Windows, Authentication Manager saves a cached version of the user’s Windows logon password. This information may need to be cleared, if the Windows password has been changed in Active Directory.

  8. If you want to assign a default shell to the user, enter it in the Default Shell field.

  9. To configure a logon alias for the user:

    1. Select whether you want to allow users to use their own User IDs and the alias.

      You can use this option to prevent a conflict between users who share the same default User IDs.

    2. Select the user group to which you want to assign the alias.

    3. In the User ID field, enter the User ID that you want to assign to the alias. In the Shell field, enter the shell that you want assigned to the alias. If you are using RADIUS, from the RADIUS Profile drop-down menu, select the RADIUS profile to assign to the alias. Click Add.

  10. If you use RADIUS, select the RADIUS profile and RADIUS user attributes to assign to the user:

    1. From the User RADIUS Profile drop-down menu, select a RADIUS profile to assign to the user.

      If you set up logon aliases for the user and you do not specify a RADIUS profile for each alias in step 9, Authentication Manager assigns the user RADIUS profile to each alias.

    2. In RADIUS User Attributes, select the attribute that you want to assign to the user, enter the value for the attribute in the Value field, and click Add. RADIUS user attributes take precedence over attributes in a RADIUS profile.

      A RADIUS user attribute can be mapped to an identity source attribute. For more information, see Map a RADIUS User Attribute Definition to an Identity Source Attribute.

  11. Click Save.