cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

CiscoSecure Profile and NAS Configuration Examples

TACACS+—Limited EXEC Session Authorization

User Profile for Limited EXEC Session Authorization in TACACS+

NAS Support for Limited EXEC Session Authorization in TACACS+

Verification of Limited EXEC Session Authorization in TACACS+

TACACS+—Shell Filter Access and Limitations (Allow and Refuse)

User Profiles with Shell Filter Access and Limitations in TACACS+

NAS Support for Shell Filter Access and Limitations in TACACS+

Verification of Shell Filter Access and Limitations on EXEC Session Access in TACACS+

TACACS+—Asynchronous PPP Connections with CHAP Authentication

User Profiles for Asynchronous PPP Connections in TACACS+

NAS Support for PPP Connection in TACACS+

Verification of Asynchronous PPP Connection in TACACS+

RADIUS—EXEC Session Authorization

User Profile for EXEC Session Authorization in RADIUS

NAS Support for EXEC Session Authorization in RADIUS

Verification of EXEC Session Authorization in RADIUS

RADIUS—Asynchronous PPP Connections with CHAP Authentication

User Profiles for Asynchronous PPP Connections in RADIUS

NAS Support for PPP Connection in RADIUS

Verification of Asynchronous PPP Connection in RADIUS

TACACS+—VPDN Example

TACACS+ Profiles to Set Up at the ISP-Run ACS

TACACS+ Profiles to Set Up at the Customer-Run Home Gateway ACS

Supporting ACS AAA Domain Web Page Configuration

TACACS+ ISP NAS Support for the VPDN

TACACS+ Home Gateway NAS Support

Verifying the TACACS+ VPDN Setup

RADIUS—VPDN Example

RADIUS Profiles to Set Up at the ISP ACS

RADIUS Profiles to Set Up at the Home Gateway ACS

Supporting ACS AAA Domain Web Page Configuration

RADIUS ISP NAS Support for the VPDN

RADIUS Home Gateway NAS Support

Verifying the RADIUS VPDN Setup

Combined TACACS+ and RADIUS VPDN Implementation


CiscoSecure Profile and NAS Configuration Examples


As previously noted, to successfully implement the CiscoSecure profile attributes that you assign to your users, you must also configure support for those attributes on the NAS through which those users log in to the network.

This chapter provides examples of some typical CiscoSecure user profiles coupled with the NAS configurations that support those profiles. Both TACACS+ and RADIUS examples are provided. Examples include:

TACACS+—Limited EXEC Session Authorization

TACACS+—Shell Filter Access and Limitations (Allow and Refuse)

TACACS+—Asynchronous PPP Connections with CHAP Authentication

RADIUS—EXEC Session Authorization

RADIUS—Asynchronous PPP Connections with CHAP Authentication

TACACS+—VPDN Example

RADIUS—VPDN Example

TACACS+—Limited EXEC Session Authorization

The following CiscoSecure profile and NAS configurations enable a TACACS+ user to run a limited set of EXEC session commands: the show version command on the router, and the Telnet command to IP address 10.6.8.11 only. It will deny all other commands.

A system administrator may want to grant his/her group administrators access to a limited set of EXEC query commands on specified routers to allow them to look up configuration information in support of support-line troubleshooting.

User Profile for Limited EXEC Session Authorization in TACACS+

The following user profile, generated through the Java-based CiscoSecure Administrator advanced configuration program, grants user ga_simpson permission to run the show version and Telnet commands only on the NAS that he/she is logging into.

user = ga_simpson{
member = groupf
password = clear "sesame1"
service=shell {
cmd=show {
permit version
}
cmd=telnet {
permit 10.6.8.11
}
}

NAS Support for Limited EXEC Session Authorization in TACACS+

The following configuration, entered at the NAS through which user ga_simpson logs in, supports the limited EXEC session authorization configured in the earlier section, " User Profile for Limited EXEC Session Authorization in TACACS+." Commands significant to this support are annotated below.

!
version 11.3
!
hostname as5200
!
! Turn on Authentication, Authorization, Accounting
aaa new-model

! `vtymethod', `conmethod' are the names of lists for authentication
! methods. If authentication fails due to CiscoSecure not being
! started, the enable password will be accepted because it is in each
! list
aaa authentication login vtymethod local tacacs+ enable
aaa authentication login conmethod local tacacs+ enable

! Set the commands at level 1 authorization.
aaa authorization commands 1 tacacs+
enable password cisco
!
username cisco password 0 cisco
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 10.6.8.21 255.0.0.0
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
no ip mroute-cache
async dynamic routing
async mode interactive
no peer default ip address
ppp authentication chap
group-range 1 24
!
router rip
network 10.0.0.0
!
! Specify the CiscoSecure server
tacacs-server host 10.6.8.20

! Time (10 seconds) to wait for CiscoSecure server to reply
tacacs-server timeout 10

! Set TACACS+ encryption key
tacacs-server key SECRET12345
!
line con 0
exec-timeout 0 0
password cisco
login authentication conmethod
line 1 24
autoselect ppp
modem InOut
transport input all
telnet transparent
line aux 0
line vty 0
exec-timeout 0 0
password cisco
login authentication vtymethod
width 110
line vty 1 4
exec-timeout 0 0
password cisco
login authentication vtymethod
!
end

Verification of Limited EXEC Session Authorization in TACACS+

To verify the limited EXEC session authorization configuration, the administrator, in the example below, Telnets to a NAS at IP address 10.6.8.21, logs in as user ga_simpson, and runs the authorized show version and Telnet 10.6.8.11 commands. For example:

telnet 10.6.8.21
Trying 10.6.8.21...
Connected to 10.6.8.21.
Escape character is '^]'.
User Access Verification
Username: ga_simpson
Password: sesame1

as5200> sh ver
Cisco Internetwork Operating System Software
IOS (tm) 5200 Software (C5200-J-L), Version 11.3(1), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Tue 16-Dec-97 02:49 by richardd
Image text-base: 0x22048730, data-base: 0x00005000
ROM: System Bootstrap, Version 11.1(474) [tamb 474], RELEASE SOFTWARE
(fc1)
BOOTFLASH: 5200 Software (AS5200-BOOT-L), Version 11.1(474), RELEASE
SOFTWARE (f
c1)

as5200 uptime is 3 hours, 29 minutes
System restarted by reload
System image file is "flash:c5200-j-l_113-1.bin", booted via flash
cisco AS5200 (68030) processor (revision A) with 16384K/16384K bytes of
memory.
Processor board ID 03678427
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
Primary Rate ISDN software, Version 1.0.
Mother board without terminator card.
1 Ethernet/IEEE 802.3 interface(s)
26 Serial network interface(s)
24 terminal line(s)
2 Channelized T1/PRI port(s)
128K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
8192K bytes of processor board Boot flash (Read/Write)
Configuration register is 0x2102

as5200> telnet 10.6.8.11
Trying 10.6.8.11 ... Open
UNIX(r) System V Release 4.0 (NOC1)
login: root
Password:
Last login: Thu Apr 16 14:52:02 from 10.6.8.21
Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996
xhost: Command not found
NOC1# exit
NOC1# logout
[Connection to 10.6.8.11 closed by foreign host]

After establishing a Telnet connection to the authorized IP address and running the authorized EXEC commands, the system administrator then verifies the profile limitations by attempting unauthorized commands. For example:


as5200> sh ip route
Authorization - Failed command line

as5200> ping 10.6.8.11
Authorization - Failed command
as5200>

TACACS+—Shell Filter Access and Limitations (Allow and Refuse)

The following CiscoSecure profile and NAS configuration use the TACACS+ allow and refuse attributes, also known as filter attributes, to allow the user, admn_tfong, to start an EXEC session at a specified (NAS) IP address through any TTY port on that NAS and from any remote address.

User Profiles with Shell Filter Access and Limitations in TACACS+

For TACACS+, the allow and refuse attributes have three different parameters: the NAS name or IP address, the port that is being requested, and the remote IP address of the requesting user.

The following user profile, generated through the Java-based CiscoSecure Administrator advanced configuration program, applies the shell filter allow and refuse attributes to:

Allow user admn_tfong to start an EXEC session on the NAS located at IP address 10.6.8.21 through any TTY port on that NAS from any remote IP address.

Refuse user admn_tfong EXEC session access to any other (NAS) IP address.

user = admn_tfong {
member = groupB
password = clear "cisco"
service=shell {
allow "^10\.6\.8\.21$" "tty.*" ".*"
refuse ".*" ".*" ".*"
}
}

Note The standard UNIX pattern characters, ^, \, and $ are inserted in this example to prevent misinterpretation of the IP addresses and TTY port ranges. For example, if the \ character were not inserted before the periods in the IP addresses, then under standard UNIX pattern matching, the periods would be interpreted as wildcard characters, thus enabling user admn_tfong to run shell sessions not only on the NAS at 10.6.8.21, but also at addresses not necessarily intended.


NAS Support for Shell Filter Access and Limitations in TACACS+

The following configuration, entered at the NAS through which user admn_tfong logs in, supports shell service filter attributes applied in the profile configured in the "User Profiles with Shell Filter Access and Limitations in TACACS+" section. Commands significant to this support are annotated below.

version 11.3
!
hostname as5200
!
aaa new-model
aaa authentication login vtymethod local tacacs+ enable
aaa authentication login conmethod local tacacs+ enable

! Set the EXEC authorization
aaa authorization exec tacacs+
aaa authorization commands 1 tacacs+
enable password cisco
!
username cisco password 0 cisco
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 10.6.8.21 255.0.0.0
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
no ip mroute-cache
async dynamic routing
async mode interactive
no peer default ip address
ppp authentication chap
group-range 1 24
!
router rip
network 10.0.0.0
!
tacacs-server host 10.6.8.20
tacacs-server timeout 10
tacacs-server key SECRET12345
!
line con 0
exec-timeout 0 0
password cisco
login authentication conmethod
line 1 24
autoselect ppp
modem InOut
transport input all
telnet transparent
line aux 0
line vty 0
exec-timeout 0 0
password cisco
login authentication vtymethod
width 110
line vty 1 4
exec-timeout 0 0
password cisco
login authentication vtymethod
!
end

Verification of Shell Filter Access and Limitations on EXEC Session Access in TACACS+

To verify the ability of user admn_tfong to start an EXEC session, the administrator, in the example below, Telnets to the authorized IP address, 10.6.8.21 and logs in as user, admn_tfong. Any attempt to Telnet to a NAS at any other IP address would be refused.

telnet 10.6.8.21
Trying 10.6.8.21...
Connected to 10.6.8.21.
Escape character is '^]'.

User Access Verification

Username: admn_tfong
Password: cisco

as5200>

TACACS+—Asynchronous PPP Connections with CHAP Authentication

The following CiscoSecure profile and NAS configurations support a TACACS+ and PPP protocol user logging in with CHAP authentication. The user is assigned an IP address out of the IP address pool (nas1-pools).

User Profiles for Asynchronous PPP Connections in TACACS+

The following two user profiles are generated through the Java-based CiscoSecure Administrator advanced configuration program.

The first profile sets up user bliu for PPP connection and assigns user bliu to IP address pool aaa:

user = bliu {
member = groupA
password = chap "sesame2"
service=ppp {
protocol=ip {
set addr-pool=aaa
}
protocol=lcp {
}
}
}

The second profile sets up a "user" nas1-pools and defines an IP address range to the "aaa" pool from 10.6.8.31 to 10.6.8.33:

user = nas1-pools{
member = Examples
service=ppp {
protocol=ip {
set pool-def#1="aaa 10.6.8.31 10.6.8.33"
set pool-timeout=60
}
}
}

NAS Support for PPP Connection in TACACS+

The following configuration, entered at the NAS through which user bliu logs in, supports the PPP connection configured in the earlier section, " User Profiles for Asynchronous PPP Connections in TACACS+." Commands significant to this support are annotated below.

version 11.3
!
hostname as5200
!
aaa new-model
aaa authentication login vtymethod local tacacs+ enable
aaa authentication login conmethod local tacacs+ enable

! Set ppp default authentication list
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization commands 1 tacacs+

! Set ppp authorization
aaa authorization network tacacs+

! Set ppp accounting
aaa accounting network start-stop tacacs+

! Set username of a pool to download the ip address pool
aaa configuration config-username nas1-pools
enable password cisco
!
username cisco password 0 cisco
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 10.6.8.21 255.0.0.0
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
no mroute-cache
async dynamic routing
async mode interactive
no peer default ip address
ppp authentication chap
group-range 1 24
!
router rip
network 10.0.0.0
!
tacacs-server host 10.6.8.20
tacacs-server timeout 10
tacacs-server key SECRET12345
!
line con 0
exec-timeout 0 0
password cisco
login authentication conmethod
line 1 24
autoselect ppp
modem InOut
transport input all
telnet transparent
line aux 0
line vty 0
exec-timeout 0 0
password cisco
login authentication vtymethod
width 110
line vty 1 4
exec-timeout 0 0
password cisco
login authentication vtymethod
!
end

Verification of Asynchronous PPP Connection in TACACS+

To verify the asynchronous PPP connection configuration, the administrator, in the example below, sets up a Windows 95 workstation for PPP connection and tests it:


Step 1 In Windows select Start>Programs>Accessories>Dial-Up Networking.

Step 2 Select Connections>Make New Connection and enter a name for your connection.

Step 3 Enter your modem-specific information and under Configure/General choose the highest speed of your modem, but do not check the box below this.

Step 4 Under Configure/Connection, use 8 data bits, no parity, and 1 stop bit. Under Call preferences select Wait for dial tone before dialing or Cancel the call if not connected after 200 seconds.

Step 5 Under Advanced, select only the Hardware Flow Control or Modulation Type Standard options.

Step 6 Under Configure/Options, check nothing except options under status control.

Step 7 Click OK and click Next.

Step 8 On the next screen, enter the telephone number of the destination, click Next, and then click Finish.

Step 9 When the new connection icon appears, right click on it, select Properties, and then select Server Type.

Step 10 Select PPP:WINDOWS 95, WINDOWS NT 3.5, Internet and do not check any advanced options.

Check require encrypted password only.

Step 11 Under TCP/IP settings, select Server assigned IP address and Server assigned name server addresses.

Step 12 Under Allowed Network Protocols, check TCP/IP.

Step 13 Check Use default gateway on remote network and click OK.

Step 14 Double click the Connect icon to bring up the Connect To window. Fill in the User Name and Password fields and click Connect.


RADIUS—EXEC Session Authorization

The following CiscoSecure profile and NAS configurations enable a RADIUS protocol user to run an EXEC session.

User Profile for EXEC Session Authorization in RADIUS

The following user profile, generated through the Java-based CiscoSecure Administrator advanced configuration program, grants user admn_mkumar authorization to run EXEC session commands on the NAS that he is logging into. No restrictions are specified.

user = admn_mkumar {
member = groupL
radius=Cisco {
check_items= {
2=sesame4
}
reply_attributes= {
6=7
}
}
}

Note 2=sesame4 translates to password=sesame4; 6=7 translates to User-Service-Type=Shell-User.


NAS Support for EXEC Session Authorization in RADIUS

The following configuration, entered at the NAS through which user admn_mkumar logs in, supports the EXEC session authorization configured in the "User Profile for EXEC Session Authorization in RADIUS" section.

version 11.3
!
hostname as5200
!
aaa new-model
aaa authentication
aaa authentication login vtymethod local radius enable
aaa authentication login conmethod local radius enable
enable password cisco
!
username cisco password 0 cisco
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 10.6.8.21 255.0.0.0
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip courte-cache
no ip mroute-cache
async dynamic routing
async mode interactive
no peer default ip address
ppp authentication chap
group-range 1 24
!
router rip
network 10.0.0.0
!
radius-server host 10.6.8.20 auth-port 1645 acct-port 1646
radius-server timeout 10
radius-server key SECRET12345
!
line con 0
exec-timeout 0 0
password cisco
login authentication conmethod
line 1 24
autoselect ppp
modem InOut
transport input all
telnet transparent
line aux 0
line vty 0
exec-timeout 0 0
password cisco
login authentication vtymethod
width 110
line vty 1 4
exec-timeout 0 0
password cisco
login authentication vtymethod
!
end

Verification of EXEC Session Authorization in RADIUS

To verify the ability of user admn_mkumar to start an EXEC session on any NAS, the administrator, in the example below, Telnets to NAS IP address 10.6.8.21 and logs in as user, admn_mkumar. User admn_mkumar should have the authority to run EXEC sessions on any NAS on the network.

telnet 10.6.8.21
Trying 10.6.8.21...
Connected to 10.6.8.21.
Escape character is '^]'.

User Access Verification

Username: admn_mkumar
Password: sesame4

as5200>

RADIUS—Asynchronous PPP Connections with CHAP Authentication

The following CiscoSecure profile and NAS configurations support a RADIUS and PPP protocol user logging in with CHAP authentication. The user is assigned an IP address out of the IP address pool(nas1-pools).

User Profiles for Asynchronous PPP Connections in RADIUS

The following two user profiles are generated through the Java-based CiscoSecure Administrator advanced configuration program.

The first profile sets up user pbradley for PPP connection and assigns user pbradley to IP address pool, bbb:

user = pbradley {
member = groupG
radius=Cisco {
check_items= {
2=sesame5
}
reply_attributes= {
7=1
6=2
9,1="ip:addr-pool=bbb"
}
}
}

The second profile sets up a "user" nas1-pools and defines an IP address range to the "bbb" pool from 10.6.8.31 to 10.6.8.33:

user = nas1-pools{
member = Examples
radius=Cisco {
reply_attributes= {
6=5
9,1="ip:pool-def#1=bbb 10.6.8.34 10.6.8.35"
}
}
}

NAS Support for PPP Connection in RADIUS

The following configuration, entered at the NAS through which user pbradley logs in, supports the PPP Connection configured in the "User Profiles for Asynchronous PPP Connections in RADIUS" section. Commands significant to this support are annotated below.

!
version 11.3
!
hostname as5200
!
aaa new-model
aaa authentication
aaa authentication login vtymethod local radius enable
aaa authentication login conmethod local radius enable

! Set PPP default authentication list
aaa authentication ppp default radius

! Set PPP authorization
aaa authorization network radius

! Set PPP accounting
aaa accounting network start-stop radius

! Set username of a pool to download
aaa configuration config-username nas1-pools
enable password cisco
!
username cisco password 0 cisco
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 10.6.8.21 255.0.0.0
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
no ip mroute-cache
async dynamic routing
async mode interactive
no peer default ip address
ppp authentication chap
group-range 1 24
!
router rip
network 10.0.0.0
!
radius-server host 10.6.8.20 auth-port 1645 acct-port 1646
radius-server timeout 10
radius-server key SECRET12345
!
line con 0
exec-timeout 0 0
password cisco
login authentication conmethod
line 1 24
autoselect ppp
modem InOut
transport input all
telnet transparent
line aux 0
line vty 0
exec-timeout 0 0
password cisco
login authentication vtymethod
width 110
line vty 1 4
exec-timeout 0 0
password cisco
login authentication vtymethod
!
end

Verification of Asynchronous PPP Connection in RADIUS

To verify the asynchronous PPP connection configuration, the administrator, in the example below, sets up a Windows 95 workstation for the PPP connection and tests it:


Step 1 In Windows select Start>Programs>Accessories>Dial-Up Networking.

Step 2 Select Connections>Make New Connection and enter a name for your connection.

Step 3 Enter your modem-specific information and under Configure/General choose the highest speed of your modem, but do not check the box below this.

Step 4 Under Configure/Connection, use 8 data bits, no parity, and 1 stop bit. Under Call preferences select Wait for dial tone before dialing or Cancel the call if not connected after 200 seconds.

Step 5 Under Advanced, select only the Hardware Flow Control or Modulation Type Standard options.

Step 6 Under Configure/Options, check only Options under Status Control.

Step 7 Click OK and click Next.

Step 8 On the next screen, enter the telephone number of the destination, click Next, and then click Finish.

Step 9 When the new connection icon appears, right-click it, select Properties, and then select Server Type.

Step 10 Select PPP:WINDOWS 95, WINDOWS NT 3.5, Internet and do not check any advanced options.

Check require encrypted password only.

Step 11 Under TCP/IP settings, select Server assigned IP address and Server assigned name server addresses.

Step 12 Under Allowed Network Protocols, check TCP/IP.

Step 13 Check Use default gateway on remote network and click OK.

Step 14 Double-click the Connect icon to bring up the Connect To window. Fill in the User name and Password fields and click Connect.


TACACS+—VPDN Example

The following sample VPDN profiles, user profiles, and NAS configurations set up a customer-managed virtual private dial-up network (VPDN) within a larger ISP-managed network and support users that are logging in to the VPDN through a remote ISP-run NAS.

In the following sample illustration:

1. User jacobw, a DEF Corp employee, whose user profile in a company database is accessible only by the DEF Corp ACS, dials in to the ISP network through the remote ISP-run NAS (NAS_ISP), as jacobw@DEF_Corp, DEF_Corp, being a VPDN set up by the ISP.

2. The ISP-run NAS (NAS_ISP) strips off "jacobw@" from the login string and forwards an authorization request for DEF_Corp to the ISP-run ACS (ACS_ISP), which has a VPDN profile for DEF_Corp already configured.

3. ACS_ISP returns DEF_Corp VPDN profile information to NAS_ISP, which engages in a two-way authentication process with the DEF Corp-run home gateway NAS (NAS_DEFCORP) and, if successful, establishes a VPDN tunnel to NAS_DEFCORP.

4. The "jacobw@DEF_Corp" login string is forwarded from NAS_ISP through the VPDN tunnel to NAS_DEFCORP and then to the DEF Corp-run ACS (ACS_DEFCORP), which is configured through CiscoSecure administration web page settings to strip off "@DEF_Corp" and authenticate "jacobw" from the DEF Corp database of authorized users.

Figure 13-1 Sample TACACS+ User Login to a VPDN

TACACS+ Profiles to Set Up at the ISP-Run ACS

To support the above scenario, you need to set up some special CiscoSecure profiles at the ISP-run ACS and at the home gateway ACS.

Set up a special VPDN profile and special NAS profiles at the ISP-run ACS, ACS_ISP.

The VPDN Profile. The following profile specifies the VPDN, DEF_Corp:

user = DEF_Corp {
service = ppp {
protocol = vpdn{
set-ipaddress = 10.10.1.1
set-tunnelid = defcorp_tunnel
}
}
}

Note protocol=vpdn makes the DEF_Corp profile a VPDN; set-ipaddress= specifies the IP address of DEF Corp's home gateway NAS; set-tunnelid= is an arbitrary character string; however it must match the name of the tunnel ID profile.


The tunnel ID profile. The following profile specifies the tunnel to DEF Corp's home gateway NAS.

user = defcorp_tunnel {
password = cisco
}

The home gateway NAS profile. Set the following profile for the DEF Corp's gateway NAS, NAS_DEFCORP:

user = NAS_DEFCORP {
password = cisco
}

TACACS+ Profiles to Set Up at the Customer-Run Home Gateway ACS

Set up a profile for each VPDN user logging in to the home gateway NAS and set up special NAS profiles at the DEF_Corp home gateway ACS (ACS_DEFCORP).

A profile for each VPDN user logging in to the home gateway NAS. If the optional domain stripping feature has been configured for the home gateway ACS (see the "Supporting ACS AAA Domain Web Page Configuration" section), this one profile will support the same user whether that user is dialing in directly to NAS_DEFCORP or dialing in through the remote NAS_ISP. The following profile specifies the user, jacobw:

user = jacobw {
password=sesame8
service = ppp {
protocol = ip
protocol = lcp
protocol = multilink
}
}

The tunnel ID profile. The following profile specifies the tunnel to DEF Corp's home gateway NAS:

user = defcorp_tunnel {
password = cisco
}

The home gateway NAS profile. Set the following profile for the home gateway NAS, NAS_DEFCORP:

user = NAS_DEFCORP{
password =
cisco
}

Supporting ACS AAA Domain Web Page Configuration

To support the optional domain name stripping described in this example, use the CiscoSecure ACS Administration AAA>Domain web page at both the ISP-run ACS (in this case ACS_ISP) and the VPDN home ACS (in this case ACS_DEFCORP) to specify the "@DEF_Corp" domain name as local or remote.

In the AAA>Domain web page for the ISP-run ACS, ACS_ISP, specify the following settings:

Domain Name: DEF_Corp

Delimiter: @

Domain Name Position: After

Domain Type: Remote

At the ISP-run ACS, this setting strips off the locally meaningless "jacobw@" from the login string and uses the remaining domain name portion to associate session accounting information with the correct customer profile, in this case, DEF_Corp.


Note This configuration is required if you want to enforce VPDN max sessions settings as described in "Limiting and Tracking Sessions Per User, Group, or VPDN."


In the AAA>Domain web page for the DEF Corp-run ACS, ACS_DEFCORP, specify the following settings:

Domain Name: DEF_Corp

Delimiter: @

Domain Name Position: After

Domain Type: Local


Note At the home gateway ACS, this configuration allows user jacobw to use one login string, "jacobw@DEF_Corp" at either a remote NAS or the home gateway NAS.


TACACS+ ISP NAS Support for the VPDN

To support the VPDN, the following configuration is set up at the ISP-run NAS (NAS_ISP):

version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS_ISP
!
aaa new-model
aaa authentication login default tacacs+
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin tacacs+
aaa authentication ppp default local
aaa authentication ppp dialin if-needed tacacs+
aaa authorization network tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting network start-stop tacacs+
!
! Enabling AAA services
!
enable secret cisco
!
username admin password cisco
!
vpdn enable
!
! enables vpdn connections
!
! vpdn search-order domain dnis
!
! If this example were for an ISP NAS
! running Cisco IOS 11.3 or later, you
! require the following string after
! "vpdn enable" in order to change the
! change the default Dialed-number
! information server(DNIS) VPDN search
! order.
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!

interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
tacacs-server host 10.1.3.60
tacacs-server key letmein
tacacs-timeout 20
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end

TACACS+ Home Gateway NAS Support

To support the VPDN, the following configuration is set up at the DEF_Corp home gateway, NAS_DEFCORP:

!
version 11.2
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS_DEFCORP
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+ if-authenticated
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting network start-stop tacacs+
!
vpdn enable
!
vpdn incoming defcorp_tunnel NAS_DEFCORP virtual-template 1
!
! Specifies the virtual device through which NAS_DEFCORP
! receives tunneled login data from NAS_ISP.
!
interface Ethernet0
ip address 4.1.1.1 255.255.255.0
!
interface Ethernet1
no ip address
shutdown
!
interface Serial0
ip address 10.10.1.1 255.255.255.252
encapsulation ppp
!
interface Serial1
no ip address
shutdown
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface Virtual-Template 1
ip unnumbered Ethernet0
peer default ip address pool corp1_pool
ppp authentication chap pap
ppp multilink
!
! Defines the virtual port through
! which tunneled login requests from
! NAS_ISP are received by NAS_DEFCORP
!
router eigrp 2
network 2.0.0.0
no auto-summary
!
ip local pool corp1_pool 4.1.1.3 4.1.1.52
ip classless
tacacs-server host 4.1.1.60
tacacs-server key arachnid
!
line con 0
line aux 0
line vty 0 4

Verifying the TACACS+ VPDN Setup

Verify the success of the VPDN example setup as follows:


Step 1 At a Windows workstation, use the Microsoft dial-up networking client software to dial in to NAS_ISP as user jacobw@DEF_Corp with password, sesame8.

If you can connect, the VPDN is up and working.

Step 2 If you are unable to connect, enter the following commands at both NASes to enable VPDN and AAA debugging:

debug vpdn 12f-errors
debug vpdn 12f-events

debug aaa authorization
debug aaa authentication
debug aaa accounting
debug tacacs
show tacacs

RADIUS—VPDN Example

The following sample VPDN profiles, user profiles, and NAS configurations set up a virtual private dial-up network (VPDN) within a larger ISP network and support users that are logging in to a virtual private dial-up network.

In the following sample illustration:

1. User jacobw, a DEF Corp employee, whose user profile in a company database is accessible only by the DEF Corp ACS, dials in to the ISP network through the ISP-run NAS (NAS_ISP), as jacobw@DEF_Corp, DEF_Corp being a VPDN set up by the ISP.

2. The ISP NAS (NAS_ISP) strips off "jacobw@" from the login string and forwards an authorization request for DEF_Corp to the ISP-run ACS (ACS_ISP), which has a VPDN profile for DEF_Corp already configured.

3. ACS_ISP returns DEF_Corp VPDN profile information to NAS_ISP, which engages in a two-way authentication process with the DEF Corp home gateway NAS (NAS_DEFCORP) and, if successful, establishes a VPDN tunnel to NAS_DEFCORP.

4. The "jacobw@DEF_Corp" login string is forwarded from NAS_ISP through the VPDN tunnel to NAS_DEFCORP and then to CiscoSecure ACS for NAS_DEFCORP, (ACS_DEFCORP), which is configured through CiscoSecure administration web page settings to strip off "@DEF_Corp" and authenticate "jacobw" from the DEF Corp database of authorized users.

Figure 13-2 Sample User Login to a VPDN

RADIUS Profiles to Set Up at the ISP ACS

To support the above scenario, you need to set up some special profiles at the ISP gateway ACS and at the home gateway ACS.

Set up a special VPDN profile and special NAS profiles at the CiscoSecure ACS_ISP.

The VPDN Profile. The following profile specifies the VPDN, DEF_Corp:

user = DEF_Corp {
radius = Cisco {
check_items = {
2 = cisco {
}
reply_attributes = {
6= 5
9,1 = "vpdn:gw-password=cisco"
9,1 = "vpdn:nas-password=cisco"
9,1 = "vpdn:ip-addresses=10.10.1.1"
9,1 = "vpdn:tunnel-id=defcorp_tunnel"
}
}
}

Note 2=cisco translates to password = cisco in RADIUS. 6=5 translates to type = outbound-user (for security); 9,1 = "vpdn: ipaddresses= specifies the IP address of DEF Corp's home gateway NAS; 9,1 = "vpdn: tunnel-id= is an arbitrary character string; 9,1 = "vpdn: nas-password= specifies the password for the tunnel-ID profile; 9,1 = "vpdn: gw-password= specfies the password for the home gateway NAS profile.


RADIUS Profiles to Set Up at the Home Gateway ACS

Set up a profile for each VPDN user logging in to the home gateway NAS and set up special NAS profiles at the DEF_Corp home gateway ACS (ACS_DEFCORP).

A profile for each VPDN user logging in to the home gateway NAS. If the optional domain stripping feature has been configured for the home gateway ACS (see the "Supporting ACS AAA Domain Web Page Configuration" section), this one profile will support the same user whether that user is dialing in directly to NAS_DEFCORP or dialing in through the remote NAS_ISP. The following profile specifies the user, jacobw.

user = jacobw {
radius=cisco {
check_items = {
2=cisco
}
reply_items = {
6=2
7=1
}
}
}

The tunnel ID profile. The following profile specifies the tunnel to DEF Corp's home gateway NAS:

user = defcorp_tunnel{
radius = cisco {
check_items = {
2 = cisco
}
}
}

Supporting ACS AAA Domain Web Page Configuration

To support the optional domain name stripping described in this example, use the CiscoSecure ACS Administration AAA>Domain web page at both the ISP-run ACS (in this case ACS_ISP) and the VPDN home ACS (in this case ACS_DEFCORP) to specify the "@DEF_Corp" domain name as local or remote.

In the AAA>Domain web page for the ISP-run ACS, ACS_ISP, specify the following settings:

Domain Name: DEF_Corp

Delimiter: @

Domain Name Position: After

Domain Type: Remote

At the ISP-run ACS, this setting strips off the locally meaningless "jacobw@" from the login string and uses the remaining domain name portion to associate session accounting information with the correct customer profile, in this case, DEF_Corp.


Note This configuration is required if you want to enforce VPDN Max Sessions settings as described in "CiscoSecure Profile and NAS Configuration Examples."


In the AAA>Domain web page for the DEF Corp-run ACS, ACS_DEFCORP, specify the following settings:

Domain Name: DEF_Corp

Delimiter: @

Domain Name Position: After

Domain Type: Local


Note At the home gateway ACS, this configuration allows user jacobw to use one login string, "jacobw@DEF_Corp" at either a remote NAS or the home gateway NAS.


RADIUS ISP NAS Support for the VPDN

To support the VPDN, the following configuration is set up at the ISP gateway NAS (NAS_ISP).


Note Because this is a RADIUS example, you must make sure this NAS has been associated with its ACS using the Java-based CiscoSecure Administrator advanced configuration program. Start the CiscoSecure Administrator, click the NAS tab, and specify the IP address and shared secret of the ISP gateway NAS. See "Adding and Configuring NASes as RADIUS Clients" in "ACS and NAS Management."


version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS_ISP
!
aaa new-model
aaa authentication login default radius
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin radius
aaa authentication ppp default radius
aaa authentication ppp dialin if-needed radius
aaa authorization network radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
enable secret cisco
!
username admin password cisco
!
vpdn enable
! enables vpdn connections
!
! vpdn search-order domain dnis
!
! If this example were for an ISP NAS
! running Cisco IOS 11.3 or later, you
! require the following string after
! "vpdn enable" in order to change the
! change the default Dialed-number
! information server(DNIS) VPDN search
! order.
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!

controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
radius-server host 10.1.3.60 auth-port 1645 acct-port 1646
radius-server key letmein
radius timeout 20
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end

RADIUS Home Gateway NAS Support

To support the VPDN, the following configuration is set up at the DEF_Corp home gateway, NAS_DEFCORP.


Note The tunnel cannot be initially authenticated using RADIUS. You must use the line "AAA authentication PPP default radius local" and have local user accounts for the tunnel-id and home gateway identifier on the home gateway NAS. You must also configure the tunnel-id profile in the ACS.


version 11.2
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS_DEFCORP
!
aaa new-model
aaa authentication login default radius enable
aaa authentication ppp default radius local
! Required to support local tunnel
! authentication in RADIUS
!
aaa authorization exec radius if-authenticated
aaa authorization commands 15 radius if-authenticated
aaa authorization network radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
!!
username NAS_DEFCORP pass cisco
! Sets up a local NAS account for the
! home gateway NAS

username defcorp_tunnel pass cisco
! Sets up a local NAS account for the
! VPDN tunnel
!
vpdn enable
vpdn incoming defcorp_tunnel NAS_DEFCORP virtual-template 1
! Specifies the virtual device through which NAS_DEFCORP
! receives tunneled login data from NAS_ISP.
!
interface Ethernet0
ip address 4.1.1.1 255.255.255.0
!
interface Ethernet1
no ip address
shutdown
!
interface Serial0
ip address 10.10.1.1 255.255.255.252
encapsulation ppp
!
interface Serial1
no ip address
shutdown
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface Virtual-Template 1
ip unnumbered Ethernet0
peer default ip address pool corp1_pool
ppp authentication chap pap
ppp multilink
!
! Defines the virtual tty port through
! which tunneled login requests from
! NAS_ISP are received by NAS_DEFCORP
!
router eigrp 2
network 2.0.0.0
no auto-summary
!
ip local pool corp1_pool 4.1.1.3 4.1.1.52
ip classless
radius-server host 4.1.1.60
radius-server key arachnid
radius timeout 20
!
!
line con 0
line aux 0
line vty 0 4

Verifying the RADIUS VPDN Setup

Verify the success of the VPDN example setup as follows:


Step 1 At a Windows workstation, use the Microsoft dial-up networking client software to dial in to NAS_ISP as user jacobw@DEF_Corp with password, sesame8.

If you can connect, the VPDN is up and working.

Step 2 If you are unable to connect, enter the following commands at both NASes to enable VPDN debugging:

debug vpdn 12f-errors
debug vpdn 12f-events

debug aaa authorization
debug aaa authentication
debug aaa accounting
debug radius


Combined TACACS+ and RADIUS VPDN Implementation

The two previous sections, " TACACS+—VPDN Example" and " RADIUS—VPDN Example," provide examples supporting VPDN implementation on homogenous security protocol systems, in which the remote ISP-run NAS/ACS sites and the VPDN home gateway NAS/ACS sites are both configured totally for TACACS+ or totally configured for RADIUS.

However, CiscoSecure also supports heterogeneous networks in which, for example, the remote ISP-run NAS/ACS site is TACACS+ configured, and the VPDN home gateway NAS/ACS site is RADIUS configured or vice-versa. As long as you configure your ISP-run NAS/ACS sites and VPDN home gateway NAS/ACS sites according to the examples in the section " TACACS+—VPDN Example" or " RADIUS—VPDN Example" and keep the tunnel naming and passwords consistent, VPDN connectivity between the TACACS+-configured site and the RADIUS-configured site will be preserved.


hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:12:39 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.