Token Caching

Token Caching

Otherwise, the router sends the request to the source of the interesting packet received if the interesting packet is an IP packet. The router sends the request to the designated client if the interesting packet is not an IP packet.

Step 3 The agent software recognizes the UDP/IP packet and opens an authentication window on the terminal. The user enters the username and token. The agent organizes the information into the PAP and CHAP username and password, based on the router configuration. It then sends the username and password back to the router as a reply packet.

Step 4 The reply packet is received, and the router opens an ISDN connection with Network Access Server (NAS).

Step 5 The router negotiates all line-control protocol options, including which authentication protocol to use (PAP or CHAP).

Step 6 Depending on which authentication protocol is negotiated, the router assembles a PAP request or CHAP response packet and sends it to NAS. If authentication fails, NAS passes the failure message from authentication, authorization, and accounting (AAA) to the router. The router sends one more request to the agent with a message to retry once more. If authentication fails again, the router sends another PAP request with the pppautheninfotype parameter set to message-onlyto inform the Cisco Secure Authentication Agent client that the authentication failed again and that the router has stopped authorization attempts.

Cisco 700 series routers do not do token caching. A token is cached at the client, and the client sends the router the cached token in response to the authentication request from a link that uses a multilink PPP bundle. With its built-in algorithm, the agent can also generate a new token, called a soft token, instead of prompting the user to enter a new hard token.

There are two authentication modes, PAP and CHAP local secret, shown in the following figures.

A-2Cisco700 Series Router Configuration Guide