Trouble configuring AnyConnect to use a RSA token PIN only for authentication
I have a 5515X 9.1.2 configured with AnyConnect 3.1.04059. I have successfully configured it to accept RSA secureID tokens by means of using the PIN+TokenCode. Now I simply want to enable it so Windows users can just enter their PIN.
I have already:
proxy-auth SDIin the tunnel-group (same as "Enable the display of SecurID messages" from ASDM)
SoftwareTokenin the Anyconnect profile which gives me a prompt of "PIN:" when attempting the connection.
Upon entering my PIN only, the RSA server is giving this error:
Bad tokencode, but good PIN detected for token serial number “0001162345211323” assigned to user “suser” in security domain “SystemDomain” from “Microsoft AD - MYDOM” identity source
At this point I'm thinking that the new AnyConnect software doesn't know how to interact with RSAs stauto32.dll to get the token code. However I don't know how to troubleshoot that.
Is the soft-token app running when the vpn client is launched? Have you logged in normally at least once so the client has loaded the full profile from the ASA?
Yes the client is running. In fact I have it working with the legacy Cisco VPN client where I put my pin in only to login. Also yes I can and have logged in with adding my pin+token code to get it to recognize me.