Token Card and Cisco Secure Authentication Support

The following steps illustrate how a link is established using a profile:

Step 1 Demand traffic or a call command makes a connection.

Step 2 The router sends a User Datagram Protocol (UDP) packet to a Token Authorization agent (also known as Cisco Secure Authentication Agent), requesting a username and password for PAP and CHAP. If Token Authorization Support (TAS) is set to central, the router always sends the authentication information request to the designated client.

Otherwise, the router sends the request to the source of the interesting packet received if the interesting packet is an IP packet. The router sends the request to the designated client if the interesting packet is not an IP packet.

Step 3 The agent software recognizes the UDP/IP packet and opens an authentication window on the terminal. The user enters the username and token. The agent organizes the information into the PAP and CHAP username and password, based on the router configuration. It then sends the username and password back to the router as a reply packet.

Step 4 The reply packet is received, and the router opens an ISDN connection with Network Access Server (NAS).

Step 5 The router negotiates all line-control protocol options, including which authentication protocol to use (PAP or CHAP).

Step 6 Depending on which authentication protocol is negotiated, the router assembles a PAP request or CHAP response packet and sends it to NAS. If authentication fails, NAS passes the failure message from authentication, authorization, and accounting (AAA) to the router. The router sends one more request to the agent with a message to retry once more. If authentication fails again, the router sends another PAP request with the pppautheninfotype parameter set to message-only to inform the Cisco Secure Authentication Agent client that the authentication failed again and that the router has stopped authorization attempts.