Jump to content
Welcome to our new Citrix community!

RADIUS PIN Change error

Recommended Posts



Netscaler VPX build , Radius vServer setup with PAP auth, method :Token  expression: CLIENT.UDP.RADIUS.USERNAME  , Radius class auth policy 

Radius auth is set up primary authentication on the gateway 


Normal authentication works just fine

However any user who has a token in new pin mode authenticates on the Netscaler Gateway

1) A prompt to setup a new PIN is presented---user sets a new PIN 

2) A second window pops up asking user to re-enter PIN , user enters the same PIN

3)The user is directed back to the authentication page with an error "Incorrect username or password"


Examining the debug logs shows an error 4001 "Invalid credentials"

Ran a trace and can see a Access-Reject log with message " Pin Accepted wait for next card code before trying again"


Verifying on the RSA console , can see the PIN has been accepted , however the users are confused with the error message 


My hunch is there is some setting probably needed on the Radius end to accept PIN reenter as a valid transaction instead of returning invalid credentials message 


Would be grateful if anyone could advice where I should be looking at or this needs Citrix support to fix?

Link to comment
Share on other sites

The problem here is the "access-reject" - when ADC receives that from radius server, it indicates a radius auth failure and it relays the same  message to user as received in access-reject , in your case "Pin Accepted wait for next card code before trying again" - From Netscaler point of view that's expected behavior. 


The solution to this is  (as you mentioned) make the radius server accept the transaction if possible i.e. respond with an "access-accept" or if the user is expected to perform a fresh login after pin change, then make the access-reject message on radius server a bit more user friendly e.g. "New PIN registered successfully,  please close the browser and login again"

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...