Trouble configuring AnyConnect to use a RSA token PIN only for authentication
I have a 5515X 9.1.2 configured with AnyConnect 3.1.04059. I have successfully configured it to accept RSA secureID tokens by means of using the PIN+TokenCode. Now I simply want to enable it so Windows users can just enter their PIN.
I have already:
- Enabled
proxy-auth SDIin the tunnel-group (same as "Enable the display of SecurID messages" from ASDM) - Enabled
SoftwareTokenin the Anyconnect profile which gives me a prompt of "PIN:" when attempting the connection.
Upon entering my PIN only, the RSA server is giving this error:
Bad tokencode, but good PIN detected for token serial number “0001162345211323” assigned to user “suser” in security domain “SystemDomain” from “Microsoft AD - MYDOM” identity source
At this point I'm thinking that the new AnyConnect software doesn't know how to interact with RSAs stauto32.dll to get the token code. However I don't know how to troubleshoot that.
Yes the client is running. In fact I have it working with the legacy Cisco VPN client where I put my pin in only to login. Also yes I can and have logged in with adding my pin+token code to get it to recognize me.
I am trying to configure same thing. can you please let me know the configuration on ASA side.
- Enabled
I upgraded to Anyconnect 3.1.04063 and this has resolved my problem.
License under CC-BY-SA with attribution
Content dated before 7/24/2021 11:53 AM
Ricky 8 years ago
Is the soft-token app running when the vpn client is launched? Have you logged in normally at least once so the client has loaded the full profile from the ASA?