Once I used a router (3660)for dail-in with ACS and RSA,then  I am going to take the 2611 over 3660,and the configure are basicly the same. But I can not dail-in with token,and on the ACS I found this message:cached token rejected/expired.However if I dial-in with the ACS local database I can dail-in succesfully.

Any one get this issue?

Sorry for my poor English.

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication ppp default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa session-id common

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip cef

ip tcp synwait-time 10

!

interface Group-Async1

ip unnumbered Loopback0

encapsulation ppp

ip tcp header-compression

no ip mroute-cache

no logging event link-status

async default routing

async mode interactive

peer default ip address pool ipGroup-1

ppp authentication chap one-time

group-range 33 48

!