Are you using EAP-GTC to a RSA server?  

How long is your token caching period?  

What supplicant are you using on your clients?

What encryption? 

Did you enable user debug to see what is happening?  

What version of ArubaOS?

Thank you for your response.

Yes , customer has enabled EAP-GTC on the controller and enabled token caching for 12 hrs.

The 8021x authentication with RSA token works perfectly on the Windows machine with GTC plugin. The current issue is only related to Apple devices like Mac laptops, iphones, where the users after entering or authenticating with the initial token and remain active for 12 hrs.  After which, they are not prompted for password. Instead they use cached token as password and authentication fails since that token has already expired.

No debugging is done as of now.

As per one of the documents, I have suggested the customer to enable "user per connection" parameter on the iphones that is used for RSA token enabling customer to enter password after the cache period is over. But customer has informed that it still did not work

Kindly assist.

So,

This is how it works:

Once you put in the username and password for the mac or iPhone, it uses it forever.

When you use token caching on the controller, it will only send the first authentication to the RSA server and not send any further authentication traffic for the token caching period (12 hours in this case).  The iPhone/mac can roam, as long as it keeps submitting the username and password that was put in the first time.

When the token caching period expires, the controller will then pass through the username and password to the RSA server.  Your mac and iphone, by default, will continue sending the old username and password and fail.

Needless to say, it is not good for this to occur during the day, so you might want to extend the token caching period as an initial workaround to see if things improve.

The real problem is that the iPhone and MAC supplicant, after the token caching period expiry, do not gracefully ask for a different username and password when it fails authentication.

The per-user connection config *might* work, but once again, it might ask every time the device goes to sleep, which might not be practical...