RSA New Pin mode over PPP dialer

Unanswered Question

I have an RSA v6.1 server running SecurID and Steel Belted RADIUS. This is performing authentication requests, via RADIUS, to a Cisco router at an ISP which hosts a PPP dial in service over PSTN.

Currently I can dial successfully into the system using the standard windows ppp dialer over PSTN using my username and RSA pin+tokencode. However when the token is set to 'New Pin mode' or 'Next Token code' the connection fails to connect as it isn't prompting me for a new pin.

The RSA website says in order to support Next Token mode & New Pin Mode require the RADIUS client to

work in terminal mode before initiating ppp negotiation.

Does this problem ring any bells with anyone out there? What command to use on the cisco device to forward new pin mode requests to the dialer?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Mon, 02/18/2008 - 11:05

I am using the exact same setup as you,

RSA SecurID 6.1 and Steelbelt Radius on

Linux version 6.0.1. It works for me,

as seen below:

User Access Verification

Username: test1


Enter your new PIN, containing 4 to 8 digits,


to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN



That being said, the PPP dialer has to be

Next Token mode "aware". Cisco VPN client,

Pix/ASA, Cisco IOS firewall and Checkpoint

VPN client are "next-token mode" aware.

Otherwise, it will not work.

CCIE Security

Richard Burts Mon, 02/18/2008 - 20:38

Andrew's question indicates that he is looking for some router solution to this issue. But I believe that it is not a router issue but is a PC/Windows issue. If the PC is configured for the typical Windows dialer in which you input your ID and password before the PC begins to dial, then there is no opportunity for the router to send the additional prompt about new pin mode or next token mode. But if the PC is configured with the option for post dial terminal window (as illustrated in this post) do that the PC dials and connects and then the router sends the prompt then there is an opportunity for the router to send the additional prompt for new pin mode or next token mode.



Thanks Rick, you have identified exactly the issue I'm experiencing.

OK, so now I have ticked the 'Show Terminal Window' in the standard Windows XP dialer, and now when the laptop dials all is displayed in the window is a load of garbage characters...

Are there settings I have to configure on the Cisco router, or in the dialer itself to fine tune this in order for it to display the 'new pin' request ?

Your response is much appreciated.


Jagdeep Gambhir Tue, 02/19/2008 - 06:02


For new pin mode to work, you will need to enable interactive AKA exec logins. To do this you need to have following configuration.


interface Group-AsyncX

ip unnumbered Loopback0

encapsulation ppp

async mode interactive ! watch for framed and exec connections

peer default ip address pool dialin_pool

no keepalive

ppp authentication pap ! clear ok for one time pass

group-range 1/00 1/59


line x/x 1/x

login authentication default ! default command doesn't show in config

no flush-at-activation

modem InOut

autoselect during-login

autoselect ppp

autocommand ppp neg ! start ppp before giving exec prompt

To explain. SecureID users will enable a post terminal dial window in DialUp Networking config. When they connect, they will be prompted for user/token and pin if configured for that. If the Exec authentication an

authorization succeeds. The AS5350 will execute the ppp negotiate command,

which starts PPP for the session. The user may see garbage text in terminal depending on what version of DialUp Networking or client software they are using. They will need to click on the close/done/continue button.

The PC and AS5350 will then proceed with PPP.

However, we are going to by pass ppp authentication because we have already

authenticated for exec and we don't want the token to time out and cause a failure. PPP authorization should proceed as normal using the credentials provided for exec login.

Please use CHAP as PAP does not work for interactive authentication.



Do rate helpful posts

This is all very interesting, I think I'm moving in the right direction.

Only question I have is the Steel Belted Radius server doesn't support CHAP, see the output :

02/19/2008 12:27:00 Beginning instance of SecurID authentication

02/19/2008 12:27:00 Credentials are neither PAP nor EAP 2

02/19/2008 12:27:00 Terminated instance of SecurID authentication

I think I know what the answer is and that's to add a Cisco ACS server between the SecurID server and the Cisco router, would you agree?

Richard Burts Tue, 02/19/2008 - 08:58


JG gave a very good explanation. But he got reversed about which one does not work to authenticate with SecurID. PAP does work (and is supported in Steel Belted Radius - as you show) and CHAP is the one that does not work.

I happen to like ACS. But I do not believe that you really need to put in ACS. Just configure PAP and you should be able to process New Pin or Next Token modes.




This Discussion