cc/td/doc/product/access/acs_soft/csacs4nt
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Common Configurations
Dial-Up Using the Windows NT User Database with TACACS+
Dial-Up Using the CiscoSecure ACS 2.0 User Database with TACACS+
Dial-Up Using SDI Token Card Server with TACACS+
Dial-Up Using the CiscoSecure ACS 2.0 User Database with RADIUS (Cisco)
Dial-Up for an ARAP Client Using the CiscoSecure ACS 2.0 User Database with TACACS+
Router Management Using the CiscoSecure ACS 2.0 User Database with TACACS+
PIX Firewall Authentication/Authorization Using the Windows NT User Database with TACACS+
VPDN Using the CiscoSecure ACS 2.0 User Database with TACACS+

Common Configurations


Before you configure the CiscoSecure ACS for the first time, you need to verify that you have the required settings for the configuration you want. This chapter outlines the necessary settings for the following eight common configurations:

1. Dial-Up Using the Windows NT User Database with TACACS+

2. Dial-Up Using the CiscoSecure ACS 2.0 User Database with TACACS+

3. Dial-Up Using SDI Token Card Server with TACACS+

4. Dial-Up Using the CiscoSecure ACS 2.0 User Database with RADIUS (Cisco)

5. Dial-Up for an ARAP Client Using the CiscoSecure ACS 2.0 User Database with TACACS+

6. Router Management Using the CiscoSecure ACS 2.0 User Database with TACACS+

7. PIX Firewall Authentication/Authorization Using the Windows NT User Database with TACACS+

8. VPDN Using the CiscoSecure ACS 2.0 User Database with TACACS+

Select the configuration that most closely meets your needs.


Note      If you are viewing this as a link from the CiscoSecure Welcome Screen, you are now viewing the online documentation. Click Online Documentation and select Common Configurations to return to this section.


Click Online Documentation and select an item in the table of contents for additional information. Two of the selections available in the online documentation are:

There are four components that must be configured to successfully initiate connectivity and implement the CiscoSecure ACS for Windows NT services:

Dial-Up Using the Windows NT User Database with TACACS+

This is a typical configuration that would be used in a Windows NT network using only the Windows NT User Database to maintain access. This configuration is compatible with businesses with a significant investment or strategic direction based on Windows NT. This configuration makes it possible to:

Windows NT Server Configuration

This option requires the most configuration of Windows NT server environment because of the high level of dependency on Windows NT management functions. These items are configured from the User Manager on your Window NT server that is running the CiscoSecure ACS. Make sure:

CiscoSecure ACS Configuration

The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.

NAS Configuration Screen

You can configure the following items from the NAS Configuration screen:


Note       If the first NAS that clients will be dialing into was set up during the installation of the CiscoSecure ACS, all of the information in this section should already be complete.



Note      You must also enable PPP LCP when selecting any PPP protocol.


User Setup

Not necessary—Users successfully authenticated against the Windows NT User Database are added to the CiscoSecure ACS 2.0 User Database as members of group 0, Windows NT Users. You can reassign them to another group later.

Group Setup

You can configure the following items in Group Setup for the Windows NT Users group:

To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.


Note If this option is checked and no group-level filter is defined, a user-level filter must be defined for every member of that group, or authentication fails for users without a valid filter.


Service Configuration

You can configure these items from Service Configuration:

If the option is not checked, then only the CiscoSecure ACS 2.0 User Database is searched for a matching username. If no matching username exists in the CiscoSecure ACS 2.0 User Database, then the authentication fails.

Check this option to ensure that all authentications without a matching usernames in the CiscoSecure ACS 2.0 User Database are checked against the Windows NT User Database. If this authentication succeeds, then a record will automatically be generated in the CiscoSecure Database for that user indicating that they are Windows NT users and that Windows NT should be used for their password authentication. User records added to the database in this way will automatically be made members of the group "Windows NT Users."

If the option is checked, then the CiscoSecure ACS verifies that dial-up permission granted for this user in the Windows NT User Database. Authentication for users without dial-up permission on the Windows NT server fails even if they use the correct password.

Token Server Configuration

None—Token Card severs are not used in this configuration.

Administration Control

None.

NAS Configuration

There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509. Note that PAP is used because the Windows NT User Database is being utilized.

aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs

Enter this command under each interface used for dial-in access:

ppp authentication pap

Client Configuration

The client can be an async or ISDN client. For an ISDN client, be sure it is configured to use PAP.

Windows 95 Client

These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.

Click Server Type and select:


Note The NAS must include the necessary configuration parameters to support IP Pools.


Windows NT Workstation Client

Make sure:

Comments

Consider the following:


Note      The ability to control access with the "Grant dial-in permission" right does not span across trusted domains.


Dial-Up Using the CiscoSecure ACS 2.0 User Database with TACACS+

This configuration would be used where administrators want a higher level of authentication security such as CHAP or increased speed of authentication/authorization processing. This method would be used by service providers when transaction speed is critical. This would also be utilized in corporations where the added level of security for one time passwords (OTPs) with CHAP is worth sacrificing for a single login to a Windows NT domain.

Windows NT Server Configuration

None—Users do not need to exist in the Windows NT User Database unless they need to log into the Windows NT network after accessing the IP network.

CiscoSecure ACS Configuration

The following information represents the parameters that are configured from within the CiscoSecure ACS for Windows NT.

NAS Configuration

You can configure the following items from the NAS configuration window:


Note      If the first NAS that clients will be dialing into was set up during the installation of the CiscoSecure ACS, all of the information in this section should already be complete.



Note      You must also enable PPP LCP when selecting any PPP protocol.


User Setup

You can configure the following from the User Setup window:


Note All groups can be renamed, but the CiscoSecure ACS tracks all groups by their original number.


Group Setup

You can configure the following from the group window:

To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.


Note If this option is checked and no group-level filter is defined, a user-level filter must be defined for every member of that group, or authentication fails for users without a valid filter.


Service Configuration

These items are configured from Service Configuration:

Token Server Configuration

None—Token Card severs are not used in this configuration.

NAS Configuration

There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.

aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs

Enter this command under each interface used for dial-in access:

ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.

Click Server Type and select:

Windows NT Workstation Client

Make sure:

Comments

Consider the following:

Dial-Up Using SDI Token Card Server with TACACS+

This configuration outlines the ability to implement the CiscoSecure ACS with the SDI Ace token card server. Administrators who want to increase and utilize the added level of security of a token card can do so with the SDI Ace server for authentication while still allowing the CiscoSecure ACS to authorize the services after a successful authentication.

Windows NT Server Configuration

The following information represents the parameters that are configured from within the Windows NT Server:

CiscoSecure ACS Configuration

The following information represents the parameters that are configured from within the CiscoSecure ACS for Windows NT.

NAS Configuration

You can configure the following items from the NAS configuration screen:


Note       If the first NAS that clients will be dialing into was set up during the installation of the CiscoSecure ACS, all of the information in this section should already be complete.



Note You must also enable PPP LCP when selecting any PPP protocol.


User Setup

The following should be configured in the CiscoSecure ACS from User Setup:

Group Setup

These items should be configured in Group Setup:

To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.


Note If this option is checked and no group-level filter is defined, a user-level filter must be defined for every member of that group, or authentication fails for users without a valid filter.


Service Configuration

These items are configured from Service Configuration:

Token Server Configuration

You can configure the following from Token Server Configuration:

NAS Configuration

There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.

aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs

Enter this command under each interface used for dial-in access:

ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS, then, right-click on the Connection icon and select properties.

Click Server Type and select:

Windows NT Workstation Client

Make sure:

Comments

Consider the following:

Dial-Up Using the CiscoSecure ACS 2.0 User Database with RADIUS (Cisco)

This dial-up configuration would be used by administrators who want to use RADIUS authentication/authorization processing. Administrators who need to support non-Cisco equipment would probably use RADIUS. The CiscoSecure ACS supports IETF, Cisco, and ascend RADIUS attributes.


Note      Radius function support requires Cisco IOS Release 11.2 or higher to be running on your NAS.


Windows NT Server Configuration

None—Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.

NAS Configuration

You can configure the following items from the NAS Configuration screen:


Note       If the first NAS that clients will be dialing into was set up during the installation of CiscoSecure, all of the information in this section should already be complete.


User Setup

The following should be configured in CiscoSecure from User Setup:

Group Setup

These items should be configured in Group Setup for the desired group:

Service Configuration

These items are configured from Service Configuration:

Token Server Configuration

None—Token Card severs are not used in this configuration.

NAS Configuration

There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum RADIUS requirements for a Cisco 2509. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.

aaa new-model
aaa authentication login default radius
aaa authentication ppp default radius
aaa authorization exec radius
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
radius-server host <ip_address>
radius-server key <key>
enable secret <password>
aaa authentication login no_radius enable
line con 0
login authentication no_radius

Enter this command under each interface used for dial-in access:

ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.

Click Server Type and select:

Windows NT Workstation Client

Make sure:

Comments

Consider the following:

Dial-Up for an ARAP Client Using the CiscoSecure ACS 2.0 User Database with TACACS+

This section outlines what requirements are necessary to configure a client using ARAP with TACACS+ and assumes that the necessary [non-AAA] ARAP configuration parameters are already configured on the NAS.


Note      When you use ARAP, the NAS must be running Cisco IOS Release 11.1.


CiscoSecure ACS Configuration

The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.

NAS Configuration

You can configure the following items from the NAS configuration screen:


Note       If the first NAS that clients will be dialing into was set up during the installation of CiscoSecure, all of the information in this section should already be complete.


User Setup

The following should be configured in CiscoSecure from User Setup:

Group Setup

These items should be configured in Group Setup for the desired group:

Service Configuration

The following should be configured in CiscoSecure from Service Configuration:

Administration Control

These items are configured from Administration Control:

NAS Configuration

There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements to use ARAP for a Cisco 2509.

aaa new-model
aaa authentication arap default tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs

Enter these commands under each line used for dial-in access with ARAP:

autoselect arap
arap enable

Client Configuration

The client configured in this example is a MacIntosh Power PC running MAC/OS 7.5.5 and using the AppleTalk Remote Access v2.1 software.

From the Remote Access Client software, create a new profile and configure the following in the "Connect As" section:

Router Management Using the CiscoSecure ACS 2.0 User Database with TACACS+

This section outlines how to enhance the security to be able to access the router or NAS configuration. Implementing command authorizations along with administrative privilege levels can further secure access to the router's configuration. This method would be used by IS managers to control and monitor the administration activity of their routers and NASes.

Windows NT Server Configuration

None—Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.

NAS Configuration

You can configure the following items from the NAS configuration screen:


Note       If the first NAS that clients will be dialing into was set up during the installation of CiscoSecure, all of the information in this section should already be complete.



Note      You must also enable PPP LCP when selecting any PPP protocol.


User Setup

The following should be configured in CiscoSecure from User Setup:

Group Setup

These items should be configured in Group Setup for the desired group:

To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.


Note If this option is checked and no group-level filter is defined, a user-level filter must be defined for every member of that group, or authentication fails for users without a valid filter.


Service Configuration

These items are configured from Service Configuration:

Token Server Configuration

None—Token Card severs are not used in this configuration.

Router/NAS Configuration

There are several Cisco IOS configurations for the router/NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509 with the ability to do authorization on NAS commands executed and privilege-level authentication. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.

aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authentication enable default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa authorization commands <0-15> tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting commands start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs

Enter this command under each interface used for dial-in access:

ppp authentication chap

Client Configuration

The client can be an async or ISDN client or reside on the network.

Windows 95 Client

These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS, then, right-click on the Connection icon and select properties.

Click Server Type and select:

Windows NT Workstation Client

Make sure:

Comments

Consider the following:

PIX Firewall Authentication/Authorization Using the Windows NT User Database with TACACS+

This is a typical configuration that would be used in a Windows NT network residing behind a PIX firewall using only the Windows NT User Database to maintain authentication information. This configuration is compatible with businesses with a significant investment or strategic direction based on Windows NT. This configuration makes it possible to:

Windows NT Server Configuration

This requires the most configuration of Windows NT server environment because of the high level of dependency on Windows NT management functions. These items are configured from the User Manager on your Window NT server that is running CiscoSecure.

CiscoSecure ACS Configuration

The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.

NAS Configuration

You can configure the following items from the NAS configuration screen:


Note      If the first PIX that clients will using was set up during the installation of CiscoSecure, all of the information in this section should already be complete.


User Setup

Not Necessary—Users successfully authenticated against the Windows NT User Database are added to the CiscoSecure ACS 2.0 User Database so they may be reassigned to groups with different authorizations levels later.

Group Setup

These items should be configured in Group Setup for the Windows NT Users group:

Service Configuration

These items are configured from Service Configuration:

Token Server Configuration

None—Token Card severs are not used in this configuration.


Note      Administration through a firewall is not supported. CiscoSecure can only be managed from the same side of the firewall.


PIX Configuration

This configuration is for PIX firewall and allows "any" inbound traffic (HTTP, FTP, Telnet) as long as the user is authenticated and authorized. Notations have been added to this configuration to allow variations to be configured to deny authentication and/or authorization. A simple diagram of the PIX network is present below:

outside inside

Client ------ PIX firewall ------- CiscoSecure

PIX Version 4.0.3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
no failover
names
syslog output 20.7
no syslog console
syslog host 198.92.55.241
interface ethernet outside auto
interface ethernet inside auto
ip address inside 198.92.55.46 255.255.255.0
ip address outside 200.200.201.100 255.255.255.0
arp timeout 14400
global 1 198.92.55.1-198.92.55.254
nat 0 0.0.0.0 0.0.0.0
static 198.92.55.43 198.92.55.43
static 198.92.55.44 198.92.55.44
static 198.92.55.45 198.92.55.45
static 198.92.55.241 198.92.55.241
conduit 198.92.55.43 21 tcp 0.0.0.0 0.0.0.0 <--- for user from outside ftp to inside host 198.92.55.43 >
conduit 198.92.55.43 80 tcp 0.0.0.0 0.0.0.0 <--- for user from outside http to inside host 198.92.55.43 >
conduit 198.92.55.45 23 tcp 0.0.0.0 0.0.0.0 <--- for user from outside Telnet to inside host 198.92.55.45 >
age 10
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 200.200.201.0 255.255.255.0 200.200.201.101 1
route inside 198.92.55.0 255.255.255.0 198.92.55.45 1
timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
tacacs-server host 198.92.55.43 nas01 <--- Configuration for any inbound package using TACACS+ for authentication !against AAA server at 198.92.55.43 with tacacs key nas01 >
aaa authentication any inbound 198.92.55.43 255.255.255.255 tacacs+ <--- Authenticate any inbound package access !to 198.92.55.43 using TACACS+. "any" could change to ftp, http, or telnet>
aaa authentication any inbound 198.92.55.45 255.255.255.255 tacacs+
aaa authorization any inbound 198.92.55.43 255.255.255.255 <--- Authorize any inbound package access to !198.92.55.43 using TACACS+. "any" could change to ftp, http, or telnet >
http 198.92.55.0 255.255.255.0
http 194.0.20.0 255.255.255.0
http 200.200.201.0 255.255.255.0
no snmp-server location
no snmp-server contact
telnet 198.92.55.104 255.255.255.0
telnet 200.200.201.2 255.255.255.0
mtu outside 1500
mtu inside 1500

Client Configuration

None—Proxy support may need to be set up on the browser.

No other particular client configuration is necessary for this application.

Comments

Consider the following:


Note      The ability to control access with the "Grant dial-in permission" right does not span across trusted domains.


VPDN Using the CiscoSecure ACS 2.0 User Database with TACACS+

This is a typical configuration that would be used to create secure connections over a public infrastructure. The CiscoSecure ACS can be used to provide authentication, authorization, and accounting for Virtual Private Dial-Up Networking (VPDN), using the L2F tunnelling protocol. This is a method likely to be used by service providers to create the service and by the corporate customer who would procure it. Both require an ACS on both the NAS and Home Gateway locations for this configuration.

The CiscoSecure ACS is used at the originating end of the VPDN tunnel (the site the VPDN user dials into, often called the "ISP NAS" end of the VPDN tunnel) and at the end point of the tunnel (the private network that terminates the VPDN tunnel, often called "Home Gateway" end).


Figure 2-1   VPDN and CiscoSecure

Note      The terminology for VPDN commonly uses "domain" to represent the corporate home gateway, this is not associated with the Windows NT "domain" nomenclature. For this example, in an effort to avoid confusion, the VPDN "domain" shall be referred to as "VPDNdomain" to prevent confusion.


The concept of creating a tunnel is best broken down into two major steps after the client dials in:

Windows NT Server Configuration (ISP)

None—Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration (ISP)

The following should be configured in the CiscoSecure ACS HTML interface for Windows NT at the ISP end of the VPDN connection.

NAS Configuration

You can configure these items in the NAS Configuration section:


Note      If the first ISP NAS that clients will be dialing into was set up during the installation of the CiscoSecure ACS, all of the NAS information in this section should already be complete.


User Setup

These items should be configured in User Setup:

Group Setup

These items should be configured in Group Setup for the group "Group 1:"

Service Configuration

These items are configured in the Service Configuration section:

Token Server Configuration

None.

NAS Configuration (ISP)

There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements to use VPDN for a Cisco 2509:

aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
enable vpdn
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs

Enter this command under each interface used for dial-in access:

ppp authentication chap

Windows NT Server Configuration (Home Gateway)

None—Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration (Home Gateway)

The following should be configured in the CiscoSecure ACS HTML interface for Windows NT at the Home Gateway of the VPDN connection.

NAS Configuration

You can configure these items in the NAS Configuration section:


Note      If the first Home Gateway NAS/router that clients will be dialing into was set up during the installation of CiscoSecure, all of the NAS information in this section should already be complete.


User Setup

These items should be configured in User Setup:

Group Setup

These items should be configured in Group Setup for the Group in which the user CISCO_TUNNEL has been placed, "Group 1" for example.

These items should be configured in Group Setup for the Group where the user username@CISCO has been placed, "Group 2" for example.


Note If this option is checked and no group-level filter is defined, a user-level filter must be defined for every member of that group, or authentication fails for users without a valid filter.


Service Configuration

These items are configured in Service Configuration section:

Token Server Configuration

None.

Administration Control

These items are configured in Administration Control section:

NAS/Router Configuration (Home Gateway)

There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements to use VPDN for a Cisco 2509.

aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
enable vpdn
vpdn incoming <isp hostname> <home-gw hostname> virtual-template 1
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
int virtual-template 1
ip unnumber e0
encap ppp
ppp authentication chap

Enter this command under each interface used for dial-in access:

ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

The client must dial into the ISP NAS with the name defined at the Home Gateway ACS, username@CISCO for this example.

Windows 95 Client

These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.

Click Server Type and select:

Windows NT Workstation Client

Make sure:

Comments

Consider the following:


hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue Jan 21 03:44:35 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.