Token Caching - Cisco 700 Series Configuration Manual

Token Caching

Step 3
Step 4
Step 5
Step 6
Token Caching
Cisco 700 series routers do not do token caching. A token is cached at the client, and the
client sends the router the cached token in response to the authentication request from a link
that uses a multilink PPP bundle. With its built-in algorithm, the agent can also generate a
new token, called a soft token, instead of prompting the user to enter a new hard token.
There are two authentication modes, PAP and CHAP local secret, shown in the following
figures.
A-2 Cisco700 Series Router Configuration Guide
Otherwise, the router sends the request to the source of the interesting packet
received if the interesting packet is an IP packet. The router sends the request to
the designated client if the interesting packet is not an IP packet.
The agent software recognizes the UDP/IP packet and opens an authentication
window on the terminal. The user enters the username and token. The agent
organizes the information into the PAP and CHAP username and password,
based on the router configuration. It then sends the username and password back
to the router as a reply packet.
The reply packet is received, and the router opens an ISDN connection with
Network Access Server (NAS).
The router negotiates all line-control protocol options, including which
authentication protocol to use (PAP or CHAP).
Depending on which authentication protocol is negotiated, the router assembles
a PAP request or CHAP response packet and sends it to NAS. If authentication
fails, NAS passes the failure message from authentication, authorization, and
accounting (AAA) to the router. The router sends one more request to the agent
with a message to retry once more. If authentication fails again, the router sends
another PAP request with the pppautheninfotype parameter set to
message-only to inform the Cisco Secure Authentication Agent client that the
authentication failed again and that the router has stopped authorization
attempts.