Andrew's question indicates that he is looking for some router solution to this issue. But I believe that it is not a router issue but is a PC/Windows issue. If the PC is configured for the typical Windows dialer in which you input your ID and password before the PC begins to dial, then there is no opportunity for the router to send the additional prompt about new pin mode or next token mode. But if the PC is configured with the option for post dial terminal window (as illustrated in this post) do that the PC dials and connects and then the router sends the prompt then there is an opportunity for the router to send the additional prompt for new pin mode or next token mode.

HTH

Rick

Thanks Rick, you have identified exactly the issue I'm experiencing.

OK, so now I have ticked the 'Show Terminal Window' in the standard Windows XP dialer, and now when the laptop dials all is displayed in the window is a load of garbage characters...

Are there settings I have to configure on the Cisco router, or in the dialer itself to fine tune this in order for it to display the 'new pin' request ?

Your response is much appreciated.

Andy.

Andrew,

For new pin mode to work, you will need to enable interactive AKA exec logins. To do this you need to have following configuration.

--

interface Group-AsyncX

ip unnumbered Loopback0

encapsulation ppp

async mode interactive ! watch for framed and exec connections

peer default ip address pool dialin_pool

no keepalive

ppp authentication pap ! clear ok for one time pass

group-range 1/00 1/59

!

line x/x 1/x

login authentication default ! default command doesn't show in config

no flush-at-activation

modem InOut

autoselect during-login

autoselect ppp

autocommand ppp neg ! start ppp before giving exec prompt

To explain. SecureID users will enable a post terminal dial window in DialUp Networking config. When they connect, they will be prompted for user/token and pin if configured for that. If the Exec authentication an

authorization succeeds. The AS5350 will execute the ppp negotiate command,

which starts PPP for the session. The user may see garbage text in terminal depending on what version of DialUp Networking or client software they are using. They will need to click on the close/done/continue button.

The PC and AS5350 will then proceed with PPP.

However, we are going to by pass ppp authentication because we have already

authenticated for exec and we don't want the token to time out and cause a failure. PPP authorization should proceed as normal using the credentials provided for exec login.

Please use CHAP as PAP does not work for interactive authentication.

Regards,

~JG

Do rate helpful posts

This is all very interesting, I think I'm moving in the right direction.

Only question I have is the Steel Belted Radius server doesn't support CHAP, see the output :

02/19/2008 12:27:00 Beginning instance of SecurID authentication

02/19/2008 12:27:00 Credentials are neither PAP nor EAP 2

02/19/2008 12:27:00 Terminated instance of SecurID authentication

I think I know what the answer is and that's to add a Cisco ACS server between the SecurID server and the Cisco router, would you agree?

Andrew

JG gave a very good explanation. But he got reversed about which one does not work to authenticate with SecurID. PAP does work (and is supported in Steel Belted Radius - as you show) and CHAP is the one that does not work.

I happen to like ACS. But I do not believe that you really need to put in ACS. Just configure PAP and you should be able to process New Pin or Next Token modes.

HTH

Rick