13-83
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Token Server User Databases
• Timeout (seconds):—The number of seconds Cisco Secure ACS waits for a
response from the RADIUS token server before retrying the authentication
request.
• Retries—The number of authentication attempts Cisco Secure ACS makes
before failing over to the secondary RADIUS token server.
• Failback Retry Delay (minutes)—The number of minutes that Cisco Secure
ACS sends authentication requests to the secondary server when the primary
server has failed. When this duration is ended, Cisco Secure ACS reverts to
sending authentication requests to the primary server.
Note If both the primary and the secondary servers fail, Cisco Secure ACS
alternates between both servers until one responds.
Step 8 If you want to support token users performing a shell login to a TACACS+ AAA
client, you must configure the options in the TACACS+ Shell Configuration table.
Do one of the following:
a. If you want Cisco Secure ACS to present a custom prompt for tokens, select
Static (sync and async tokens), and then type in the Prompt box the prompt
that Cisco Secure ACS will present.
For example, if you type “Enter your PassGo token” in the Prompt box, users
receive an “Enter your PassGo token” prompt rather than a password prompt.
Note If some tokens submitted to this server are synchronous tokens, you
must use the Static (sync and async tokens) option.
b. If you want Cisco Secure ACS to send the token server a password to trigger
a challenge, select From Token Server (async tokens only), and then, in the
Password box, type the password that Cisco Secure ACS will forward to the
token server.
For example, if the token server requires the string “challengeme” in order to
evoke a challenge, you should type “challengeme” in the Password box. Users
receive a username prompt and a challenge prompt.
Tip Most token servers accept a blank password as the trigger to send a
challenge prompt.