Token server user databases, About token servers and ciscosecure acs, About token servers and cisco secure acs – Cisco 3.3 User Manual

Chapter 13 User Databases

Token Server User Databases

13-78

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Token Server User Databases

Cisco Secure ACS supports the use of token servers for the increased security
provided by one-time passwords (OTPs).

This section contains the following topics:

•

About Token Servers and Cisco Secure ACS, page 13-78

•

RADIUS-Enabled Token Servers, page 13-79

•

RSA SecurID Token Servers, page 13-84

About Token Servers and Cisco Secure ACS

Cisco Secure ACS provides ASCII, PAP, and PEAP(EAP-GTC) authentication
using token servers. Other authentication protocols are not supported with token
server databases.

Note

Authentication protocols not supported with token server databases may be
supported by another type of external user database. For more information about
authentication protocols and the external database types that support them, see

Authentication Protocol-Database Compatibility, page 1-10

.

Requests from the AAA client are first sent to Cisco Secure ACS. If Cisco Secure
ACS has been configured to authenticate against a token server and finds the
username, it forwards the authentication request to the token server. If it does not
find the username, Cisco Secure ACS checks the database configured to
authenticate unknown users. If the request for authentication is passed, the
appropriate authorizations are forwarded to the AAA client along with the
approved authentication. Cisco Secure ACS then maintains the accounting
information.

Cisco Secure ACS acts as a client to the token server. For all token servers except
RSA SecurID, Cisco Secure ACS accomplishes this using the RADIUS interface
of the token server. For more information about Cisco Secure ACS support of
token servers with a RADIUS interface, see

RADIUS-Enabled Token Servers,

page 13-79

.