ACS 4.2 and RSA SecurID in Next tokencode mode

Unanswered Question
Jan 13th, 2009
User Badges:

We're using ACS 4.2 for AAA for all of our Cisco devices. The ACS server uses our RSA SecurID server and it works great. Except when the token goes into next tokencode mode. Instead of being prompted for the next tokencode after a successful auth, it prompts for a password change.

Other devices using the SecurID server aren't having this problem, so I'm sure it has to do with the ACS. Had anyone else seen this sort of thing before?

Here's our setup:

ACS 4.2(0) Build 124 Patch 7

RSA Appliance 2.0.2 Auth Manager 6.1.2 (142)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jhillend Tue, 01/13/2009 - 12:16
User Badges:
  • Bronze, 100 points or more

You are running into CSCsu29010. This is fixed with cumulative patch 6 and later.

jhillend Tue, 01/13/2009 - 12:23
User Badges:
  • Bronze, 100 points or more

OK, just noticed you are running patch 7. I need to double check.

cisco24x7 Tue, 01/13/2009 - 12:17
User Badges:
  • Silver, 250 points or more

This is a KNOWN issue:

You run into something like this right:

[[email protected]]# telnet


Connected to

Escape character is '^]'.


ACS Server version 4.2

Username: test1


Do you want to enter your own pin? (y or n) [n] y

it hangs after that correct?

According to RSA:

Known Issues

1. Force Authentication after New PIN (both System Generated and User Defined), does not function as designed. The user is immediately authenticated after selecting or entering a NEW PIN. Cisco has been notified as this is how Cisco ACS is currently processing NEW PIN requests.

vbroadwater Tue, 01/13/2009 - 12:35
User Badges:

It's actually a little different than that. This is dealing with next tokencode mode, not new PIN mode yet. Here's what it looks like after a successful auth after next tokencode mode is activated:

Server requested password change

Password change request

Current password (blank for previously entered password):

When instead it should be prompting for the next tokencode. It's as if the ACS software doesn't know what next tokencode mode is or something. Doing a test from the RSA Security Center on the ACS server works out correctly.

I should probably note that we were experiencing the same issue with ACS 4.0. I was hoping that the upgrade and patch 7 would help but it hasn't.

cisco24x7 Tue, 01/13/2009 - 13:44
User Badges:
  • Silver, 250 points or more

do you setup the router to use Radius or TACACS?

I don't think next token code or next PIN mode

is supported with TACACS

vbroadwater Wed, 01/14/2009 - 09:54
User Badges:

Our routers and switches use TACACS to the ACS server. If we have to switch to Radius, we've got a looooot of reconfiguring to do...

cisco24x7 Wed, 01/14/2009 - 10:53
User Badges:
  • Silver, 250 points or more

If you are using tacacs, you will not be able

to do this. This can be done only with radius,

to my knowledge.

By the way, say hi to all the ex "Digex" folks

for me.

vbroadwater Wed, 01/14/2009 - 11:01
User Badges:

I'll do some testing with a switch to see if that does it. It's going to be a lot of no fun if that does it!

Next time I see one, I'll tell them you said hi. :)

vbroadwater Thu, 01/22/2009 - 12:33
User Badges:

Ok, I finally had a chance to test out this theory. The good news (for me) is that there's no change. I'm still getting this prompt when in next tokencode mode instead of a prompt for the next tokencode:

Server requested password change

Password change request

Current password (blank for previously entered password):

That's only good news for me because it looks like I don't have to reconfigure a crazy amount network gear. The bad news is that we still don't have an idea of why this is happening.


This Discussion