This document will demonstrate the behavior of the RSA server and PAM with regard to "Next Token" mode. To start with, you can see that the number of bad tokens after which this mode is entered is configurable.
You can see the Token Status on the entry for the token, and that the token is active.
Perform enough failed logins to match what is in your policy, which consisted of a good pin and a bad token. In this example the number was three.
The Session Log on CA PAM is not very helpful. It only shows the same error that appears in red, above. The RSA Authentication Monitor is very helpful for such situations. If you start it before you perform your test, you will see messages like those below. We can see that the RSA server received a good pin each time, but the token was bad. With the third bad token, the RSA server switched this token to "Next Token" mode.
Once in this mode, you will be prompted for to enter the next token as well, once you've provided a good pin and token for your RSA login.
Wait for the token to change on your token fob or soft token and enter it in this field. This will confirm that your token and the system are in sync and you will be given access to PAM. You will also be able to see that the token is back in the active state in the RSA server.
If you have any more questions about this topic please open a ticket with the CA PAM Support team.