Trouble configuring AnyConnect to use a RSA token PIN only for authentication

  • I have a 5515X 9.1.2 configured with AnyConnect 3.1.04059. I have successfully configured it to accept RSA secureID tokens by means of using the PIN+TokenCode. Now I simply want to enable it so Windows users can just enter their PIN.

    I have already:

    • Enabled proxy-auth SDI in the tunnel-group (same as "Enable the display of SecurID messages" from ASDM)
    • Enabled SoftwareToken in the Anyconnect profile which gives me a prompt of "PIN:" when attempting the connection.

    Upon entering my PIN only, the RSA server is giving this error:

    Bad tokencode, but good PIN detected for token serial number “0001162345211323” assigned to user “suser” in security domain “SystemDomain” from “Microsoft AD - MYDOM” identity source

    At this point I'm thinking that the new AnyConnect software doesn't know how to interact with RSAs stauto32.dll to get the token code. However I don't know how to troubleshoot that.

    Is the soft-token app running when the vpn client is launched? Have you logged in normally at least once so the client has loaded the full profile from the ASA?

    Yes the client is running. In fact I have it working with the legacy Cisco VPN client where I put my pin in only to login. Also yes I can and have logged in with adding my pin+token code to get it to recognize me.

    I am trying to configure same thing. can you please let me know the configuration on ASA side.

  • tunnelsup

    tunnelsup Correct answer

    8 years ago

    I upgraded to Anyconnect 3.1.04063 and this has resolved my problem.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM