When logging in with RSA it is possible to provide an invalid token.  This is more likely to happen if you are manually copying the token from a fob, but it could also happen if the token somehow becomes out of sync with the RSA server.  When this happens, the RSA server will put the token into "Next Token" mode.  When this happens, the next time you provide a good token you will be prompted for to enter the next token as well. 

Release:
Component: CAPAMX

This document will demonstrate the behavior of the RSA server and PAM with regard to "Next Token" mode.  To start with, you can see that the number of bad tokens after which this mode is entered is configurable.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKGUAA4" alt="TokenPolicies2.PNG" width="789" height="572">

 

You can see the Token Status on the entry for the token, and that the token is active.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKGVAA4" alt="TokenStatus.PNG" width="1253" height="605">

 

Perform enough failed logins to match what is in your policy, which consisted of a good pin and a bad token.  In this example the number was three.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKGOAA4" alt="FailedRSALogin.PNG" width="411" height="363">

 

The Session Log on CA PAM is not very helpful.  It only shows the same error that appears in red, above.  The RSA Authentication Monitor is very helpful for such situations.  If you start it before you perform your test, you will see messages like those below.  We can see that the RSA server received a good pin each time, but the token was bad.  With the third bad token, the RSA server switched this token to "Next Token" mode.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKGRAA4" alt="NextTokenRequired.PNG" width="1255" height="609">

 

Once in this mode, you will be prompted for to enter the next token as well, once you've provided a good pin and token for your RSA login.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKGPAA4" alt="GoodRSALogin.PNG" width="403" height="347">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKGQAA4" alt="NextTokenPrompt.PNG" width="816" height="245">

 

Wait for the token to change on your token fob or soft token and enter it in this field.  This will confirm that your token and the system are in sync and you will be given access to PAM.  You will also be able to see that the token is back in the active state in the RSA server.

If you have any more questions about this topic please open a ticket with the CA PAM Support team.