Cisco Systems 3.3 Manual De Usuario
13-79
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Token Server User Databases
For RSA SecurID, Cisco Secure ACS uses an RSA proprietary API. For more
information about Cisco Secure ACS support of RSA SecurID token servers, see
information about Cisco Secure ACS support of RSA SecurID token servers, see
Token Servers and ISDN
Cisco Secure ACS supports token caching for ISDN terminal adapters and
routers. One inconvenience of using token cards for OTP authentication with
ISDN is that each B channel requires its own OTP. Therefore, a user must enter at
least 2 OTPs, plus any other login passwords, such as those for Windows
networking. If the terminal adapter supports the ability to turn on and off the
second B channel, users might have to enter many OTPs each time the second B
channel comes into service.
routers. One inconvenience of using token cards for OTP authentication with
ISDN is that each B channel requires its own OTP. Therefore, a user must enter at
least 2 OTPs, plus any other login passwords, such as those for Windows
networking. If the terminal adapter supports the ability to turn on and off the
second B channel, users might have to enter many OTPs each time the second B
channel comes into service.
Cisco Secure ACS caches the token to help make the OTPs easier for users. This
means that if a token card is being used to authenticate a user on the first B
channel, a specified period can be set during which the second B channel can
come into service without requiring the user to enter another OTP. To lessen the
risk of unauthorized access to the second B channel, you can limit the time the
second B channel is up. Furthermore, you can configure the second B channel to
use the CHAP password specified during the first login to further lessen the
chance of a security problem. When the first B channel is dropped, the cached
token is erased.
means that if a token card is being used to authenticate a user on the first B
channel, a specified period can be set during which the second B channel can
come into service without requiring the user to enter another OTP. To lessen the
risk of unauthorized access to the second B channel, you can limit the time the
second B channel is up. Furthermore, you can configure the second B channel to
use the CHAP password specified during the first login to further lessen the
chance of a security problem. When the first B channel is dropped, the cached
token is erased.
RADIUS-Enabled Token Servers
This section describes support for token servers that provide a standard RADIUS
interface.
interface.
This section contains the following topics:
•
•
•