Cisco 2509 - Router - EN User Manual page 471

Chapter 11 Working with User Databases
•
•
Step 8 If you want to support token users performing a shell login to a TACACS+ AAA
client, you must configure the options in the TACACS+ Shell Configuration table.
Do one of the following:
a.
b.
Tip
78-14696-01, Version 3.1
Retries—The number of authentication attempts Cisco Secure ACS makes
before failing over to the secondary RADIUS token server.
Failback Retry Delay (minutes)—The number of minutes that
Cisco Secure ACS sends authentication requests to the secondary server
when the primary server has failed. When this duration is ended,
Cisco Secure ACS reverts to sending authentication requests to the primary
server.
Note If both the primary and the secondary servers fail, Cisco Secure ACS
alternates between both servers until one responds.
If you want Cisco Secure ACS to present a custom prompt for tokens, select
Static (sync and async tokens), and then type in the Prompt box the prompt
that Cisco Secure ACS will present.
For example, if you type "Enter your PassGo token:" in the Prompt box, users
receive an "Enter your PassGo token" prompt rather than a password prompt.
If some tokens submitted to this server are synchronous tokens, you
Note
must use the Static (sync and async tokens) option.
If you want Cisco Secure ACS to send the token server a password to trigger
a challenge, select From Token Server (async tokens only), and then, in the
Password box, type the password that Cisco Secure ACS will forward to the
token server.
For example, if the token server requires the string "challengeme" in order to
evoke a challenge, you should type "challengeme" in the Password box. Users
receive a username prompt and a challenge prompt.
Most token servers accept a blank password as the trigger to send a
challenge prompt.
User Guide for Cisco Secure ACS for Windows Server
Token Server User Databases
11-63