We need to run the following scenario:
Cisco VPN client (or Any Connect, Cisco SSL VPN client) ----> Cisco ASA 5520 -----> Cisco ACS 4.2 -----> CAT Authentication Server
The CAT Authentication Server is a Radius Server. It can receive Radius Authentication requests and respond. It is used for TFA OTP strong authentication in a similar way to the RSA OTP Tokens.
The question is: How do we configure the ACS 4.2 to delegate the Authentication Request to another Radius server.
You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.
Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).
Easy as pie!
Please rate if this is helpful.