Paul

I have successfully configured Dial Access users to authenticate using 2 factor RSA token card through ACS. Your question is quite broad so I will offer a few observations and if you have further questions you may ask somewhat more focused questions.

- you want the router to authenticate the ppp session for the dialer lines and then to pass the authentication request to AAA/ACS.

- from IOS you can not send an authentication request directly to RSA 2 factor authentication. So on the router it is confiugred as aaa for tacacs or for radius.

- the ppp authentication on the dialer lines needs to specify pap and not chap (for me it was not intuitive that we needed the less secure ppp authentication so that we could be more secure in our authentication. But that is what it needs to be.)

- in AAA we decided to do authentication and accounting but not authorization.

- the aaa authentication ppp default is fairly obvious and catches most users who use the common MS Windows dialer which will prompt for userID and password before dialing. But if users have configured to use the post terminal window the PC dials and connects to the router before the prompt is issued. So you need to catch those users in the default login authentication (or you need to have a policy that the function of post terminal window is not supported)).

- caveat: we found that things like RSA new token mode do not work when doing normal MS Windows dial.

If you have other questions feel free to ask.

HTH

Rick