Showing results for 
Search instead for 
Did you mean: 

How to configure AD and Token server (over radius) authentication


Dear forum,
I have a scenario where users should be allowed network access after their have given their AD credentials and a token (Blackshield Token server).
The token server speaks over radius to the cisco ACS appliance. I have managed to get users authenticated by means of their AD credentials. I am how ever not able to use both means in order to have a successfull authentication.

Does anyone have a configuration example for this scenario? Any help would be greatly appreciated.


10 Replies 10


Is there any one out there willing to help me?

Sent from Cisco Technical Support iPhone App

I don't think you can authenticate users using two methods. You coul use either AD or token sever, but not both.

Sent from Cisco Technical Support iPad App

Hi There,

Thanks for taking the time to reply to this question. It is dully appreciated. Please note that the token server communicates over radius (its not a RSA token server). I have read that it is possible to use two athentication sources in order to authenticate a user. There is a page on the internet that explains a bit in detail how to configure this but I can for the live of it not find that page.

Scenario is like > logon to device > enter AD credentials > get popped for another authentication > enter authentication method (mind in this case is a token over Radius.

Does any one have worked with such a scenario and can help me further?

Thanks again.


Which type of authentication are you performing? Is this for some type of VPN access like VPN Client (IPSec) or AnyConnect?



Hi Carlos,

Its just for normal infra device authentication.


Sent from Cisco Technical Support iPhone App


I have had two deployments using this form of authentication.

Just so we are on the same page, the token servers that I have integrated connect to an Active Directory server running NPS (MS radius), then the user will have to send their password+token and the token software will check the account password, and then the token to see if the users succeeds.

Let me know if that is the design of your software. If it is, then all you need to do is configure the token software to run on radius and then set the policies up from there. From the network device standpoint it just needs to point to the radius server.


Tarik Admani
*Please rate helpful posts*


Hi there,

Solved. We enabled the radius proxy and made an authentication policy.


Sent from Cisco Technical Support iPhone App

Do you have any details about your radius sequence and policy? 

Please consider posting a document describing the steps you took to get your token server configuration working to help others trying to do the similar thing in the future.

Hello, reguntenaar


Could you describe us the steps you followed for implementing your solution? We will apprecciate that.


Thank you so much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: