"Invalid authentication handle" reported by the Cisco AnyConnect client when using RSA SecurID Access Cloud Authentication Service RADIUS
Originally Published: 2017-09-19
Article Number
Applies To
RSA Product/Service Type: Identity Router
Issue
It is essentially a timeout error. It means that the RADIUS authentication response was not received by Cisco ASA before the configured or default authentication timeout set in that product
Cause
- The time taken to authenticate is genuinely longer than the timeout configured for Cisco, or
- The authentication response was not delivered to Cisco for some reason
Resolution
- Cisco AnyConnect - RSA SecurID Access Implementation Guide
- Cisco ASA 9.5.2 - RSA SecurID Access Implementation Guide
<ServerList> <HostEntry> <HostName>label for UI</HostName> <HostAddress>hostname or IP address of the ASA</HostAddress> </HostEntry> </ServerList>
If ServerList HostEntry is not configured, then a 12 second timeout will be used by Cisco no matter what the actual timeout value is set to.
Related Articles
Radius Client Authentication failed For PIN+Token profile (New PIN Mode) with Cisco Anyconnect VPN Number of Views Cisco ASA - RADIUS Configuration with Cloud Authentication Service - RSA Ready Implementation Guide Number of Views RADIUS shared secret limitations of RADIUS clients configured with RSA Authentication Manager Number of Views RADIUS Clients Number of Views Add a RADIUS Client Agent Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Generate a Certificate Signing Request (CSR) for the Web Tier RSA SecurID Software Token 4.1.2 and 4.2.1 for Mac OS X displays: No token storage device was detected. Verify that the de… RSA Authentication Manager 8.8 Security Configuration Guide
Don't see what you're looking for?
