Next Token Mode when using RSA with CA PAM

Document ID : KB000006292
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When logging in with RSA it is possible to provide an invalid token.  This is more likely to happen if you are manually copying the token from a fob, but it could also happen if the token somehow becomes out of sync with the RSA server.  When this happens, the RSA server will put the token into "Next Token" mode.  When this happens, the next time you provide a good token you will be prompted for to enter the next token as well. 

Resolution:

This document will demonstrate the behavior of the RSA server and PAM with regard to "Next Token" mode.  To start with, you can see that the number of bad tokens after which this mode is entered is configurable.TokenPolicies2.PNG

 

You can see the Token Status on the entry for the token, and that the token is active.TokenStatus.PNG

 

Perform enough failed logins to match what is in your policy, which consisted of a good pin and a bad token.  In this example the number was three.

FailedRSALogin.PNG

 

The Session Log on CA PAM is not very helpful.  It only shows the same error that appears in red, above.  The RSA Authentication Monitor is very helpful for such situations.  If you start it before you perform your test, you will see messages like those below.  We can see that the RSA server received a good pin each time, but the token was bad.  With the third bad token, the RSA server switched this token to "Next Token" mode.NextTokenRequired.PNG

 

Once in this mode, you will be prompted for to enter the next token as well, once you've provided a good pin and token for your RSA login.GoodRSALogin.PNGNextTokenPrompt.PNG

 

Wait for the token to change on your token fob or soft token and enter it in this field.  This will confirm that your token and the system are in sync and you will be given access to PAM.  You will also be able to see that the token is back in the active state in the RSA server.

If you have any more questions about this topic please open a ticket with the CA PAM Support team.