we use Cryptocard as our security authentication mechanism at my company.  That what you have and the what you know.  I recently ran into an issue with the hardware tokens that was quite perplexing and caused me some grief at 2am.  We require a vpn from the inside of our company to get to PCI systems, this ensures that no one is listening on the wire and isn’t trying to steal our credit card or other vital data.  So my night operators need to use VPN along with Cryptocard to login to just about everything they want to do.  So this morning at 2am I got a call from one of the night operators who was trying to login to the VPN and getting a prompt to log back in again.  When logging into the Cryptocard status screen I saw this for his status:

Unfortunately it doesn’t seem like the Cisco Anyconnect client doesn’t seem to be able to handle the next token code appropriately and the user was getting a login failed message.

Usually when we have this problem with the software tokens we just resync the users token with the console.  No big deal except trying to get a user to enter a 8 digit challenge code that consists of upper/lower case and special characters can be tough.

However we are now switching to the hardware tokens and they only have one button on them.  This makes it extremely tough to enter a challenge code into the hardware token.  In this case since it was an internal user I just gave them the lowest possible operator rights “snapshot” in the console and allowed them to login there.  Then when it asked for the next code they were able to put it in and get their token code + pin and it resynced correctly.  Not sure what I will do when a user is remote with a hardware token and can’t login.  Probably have to issue them a software token at that point and then work with them when they are back in the office.