Explanation of successful authentication followed by passcode reuse and bad tokencode messages in RSA Authentication Manager authentication activity log
Originally Published: 2012-11-29
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
Issue
- Authentication Method success for user is seen
- A short time after the successful authentication (within one minute) messages are seen for passcode reuse or previous tokencode detected for the same user.
- A short time after the successful authentication the message Bad Tokencode but good PIN detected is shown for the token assigned to this user.
- The user has not entered the same PIN and tokencode multiple times to authenticate.
- The user sees the message Authentication Method Failed and the user is denied access.
- User authentication is denied.
- In Authentication Activity Log the following log messages are seen.
- User has not entered the same PIN and tokencode multiple times to authenticate.
Cause
- The user enters the correct username and passcode on the authentication agent or RADIUS client.
- The authentication agent or RADIUS client sends this information to Authentication Manager server A.
- Authentication Manager server A sees the packet and responds back to the agent with Authentication Success.
- The Authentication Activity Log shows authentication success for this user.
- Authentication Agent A never receives this reply packet, or it does not receive the packet before the timeout for the next authentication try. For example, if the agent retries communication every five seconds, then if the response has not arrived within five seconds, then the next authentication attempt will occur.
- As the agent never receives the reply, it then makes another request which goes to either the same server or a different server.
- The Authentication Manager responds to the request. As the passcode has already been used, the second authentication request is denied. The failure messages are written in the log.
- The agent receives the access denied reply packet.
If the client response delay is set to a large number (>6) the same behavior may happen, as the client may timeout and resend the authentication request, while the RSA server still waiting due to increasing the response delay.
To edit this value:
- Login the Security Console as a super admin.
- Navigate to Setup > System Settings > Agents.
- Edit the client response delay value. By default the value is set to two seconds.
Resolution
- Take a packet capture on the agent and on the RSA Authentication Manager server to confirm that packets are correctly being received on the network.
- This is a network issue and not an issue with RSA Authentication Manager if the client response delay is correct and so the network issues should be investigated.
Related Articles
RSA Authentication Manager Web Tier installation fails with the following error: The directory already exists! Number of Views How to stack a Unix authentication followed by SecurID prompt with the RSA Authentication Agent for PAM for SSH and Telnet… Number of Views RSA Identity Governance & Lifecycle installation fails with the following error: <install directory path>/staging/deploy/… Number of Views RSA Authentication Manager On-Demand Authentication (ODA) failing with the following error: User provided incorrect On-De… Number of Views Configure the Remote Syslog Host for Real Time Log Monitoring Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
