AGENT ERROR BAD OTC

Overview

AGENT_ERROR_BAD_OTC or Failed Validation is seen in the Swivel logs

Prerequisites

PINsafe 3.x

Symptoms

AccessRejectException: AGENT_ERROR_BAD_OTC? RADIUS: <0> Access-Request(1) LEN=60 192.168.1.1:1685 Access-Request by username Failed: AccessRejectException: AGENT_ERROR_BAD_OTC Associated with: The one time code was missing or malformed.

Solution

Wrong One Time Code has been entered, specifically a character was entered when a number was expected or a number when a character was expected. Enter correct One Time Code. If this is a new installation or user, the users may be entering the details incorrectly

This error can be produced by having the wrong shared secret key. Re-enter the shared secret keys on the PINsafe NAS entry and the authentication device. If using copy and paste of the shared secret and there is an issue, manually enter the shared key, there have been issues where the secret has been copied and pasted.

If the Check Password with Repository option is used under Policy Password on the PINsafe Administration console, then the AD password must be entered with the OTC, in the format ADPasswordOTC. PINsafe 3.8 allows the Check password with repository to be configured by Agent or NAS and is an option under these settings.

Check that a Swivel password has not been set by mistake, see Reset a Users Password

If this is a new configuration using a password and a OTC field, try swapping the password and OTC fields around, or enter the OTC in all the authentication fields, this will verify if the correct authentication server is being used.