Token Server User Databases
Token Server RADIUS Authentication Request and Response Contents
Configuring a RADIUS Token Server External User Database
User Guide for Cisco Secure ACS for Windows Server
11-60
Cisco Secure ACS also supports mapping users authenticated by a
RADIUS-enabled token server to a single group. Group mapping only occurs if
group specification does not occur. For more information, see
External User Database, page
When Cisco Secure ACS forwards an authentication request to a
RADIUS-enabled token server, the RADIUS authentication request contains the
following attributes:
•
User-Name (RADIUS attribute 1)
User-Password (RADIUS attribute 2)
•
•
NAS-IP-Address (RADIUS attribute 4)
•
NAS-Port (RADIUS attribute 5)
NAS-Identifier (RADIUS attribute 32)
•
Cisco Secure ACS expects to receive one of the following three responses:
access-accept—No attributes are required; however, the response can
•
indicate the Cisco Secure ACS group to which the user should be assigned.
For more information, see
•
access-reject—No attributes required.
access-challenge—Attributes required, per IETF RFC, are as follows:
•
State (RADIUS attribute 24)
–
–
Reply-Message (RADIUS attribute 18)
Use this procedure to configure ActivCard, CRYPTOCard, Vasco, Safeword,
PassGo, and RADIUS Token Server external user databases in Cisco Secure ACS.
Before You Begin
You should install and configure your RADIUS token server before configuring
Cisco Secure ACS to authenticate users with it. For information about installing
the RADIUS token server, refer to the documentation included with your token
server.
Chapter 11
12-12.
RADIUS-Based Group Specification, page
Working with User Databases
Group Mapping by
12-22.
78-14696-01, Version 3.1