One of the features of Cisco ACS(TACACS) is the ability to configure External Identity Stores. A customer recently asked about this. They wanted PAM to authenticate to a Cisco ACS configured with an RSA Identity Store. The attached document demonstrates the basics for setting this up. With this configuration, the user will log into PAM specifying that TACACS authentication be used, but the Password field will contain the Pin+Token Code that is required for RSA authentication. Bear in mind that this has not been fully tested by Engineering. Some features of RSA may not work through the Cisco ACS. For example, the New Pin dialogue and New Token Mode are not expected to work at this time. As long as the Pin is already assigned to the token this should work well. If the Token becomes out of sync then it will have to be resynchronized outside of PAM. This may change as Engineering tests this further.