|
|
Virtual profiles is a unique PPP application that defines and applies per-user configuration information for users who dial in to a router. Virtual profiles allow user-specific configuration information to be applied irrespective of the media used for the dial-in call. The configuration information for virtual profiles can come from a virtual interface template, per-user configuration information stored on an AAA server, or both, depending on how the router and AAA server are configured.
Virtual profiles are intended to overcome current limitations on network scalability:
Virtual profiles overcome the limitations listed above by providing a unique interface for each user dialing in to a Cisco router/access server.
The following new or uncommon terms are used in this feature module:
cloning--Creating and configuring a virtual access interface by applying configuration commands from a specific virtual template. The virtual template is the source of the generic user information and router-dependent information. The result of cloning is a virtual access interface configured with all the commands in the template.
virtual access interface--Instance of a unique virtual interface that is created dynamically and exists temporarily. Virtual access interfaces can be created and configured differently by different applications, such as virtual profiles and virtual private dialup networks.
virtual interface template--Generic configuration of an interface for a certain purpose or configuration common to certain users, plus router-dependent information. This takes the form of a list of Cisco IOS interface commands to be applied to the virtual interface as needed. Several applications can apply virtual interface templates, but generally each application uses a single template. Each virtual interface template is identified by number.
virtual profile--Unique virtual access interface created dynamically for a specific user when the user calls in and torn down dynamically when the call disconnects. The sources of configuration information for the virtual profile can be
Configuration of a virtual access interface begins with a virtual interface template (if any), followed by application of per-user configuration for the particular user's dial-in session (if any).
This release does not support fast switching, virtual private dialup networks (VPDN), and Level 2 Forwarding (L2F).
We recommend that unnumbered addresses be used in virtual interface templates to ensure that duplicate network addresses are not created on virtual access interfaces.
Virtual profiles fully interoperate with physical interfaces in the following states:
When a user dials in, the router checks whether the dialer profiles DDR feature is defined for that user. If a dialer profile is defined for that user, the router uses it. Otherwise, virtual profiles are used if configured.
Virtual profiles also interoperate with MultiLink PPP (MLP). No special configuration is required for virtual profiles or for MLP.
Depending on the specific virtual-profile commands configured, if no dialer profile (DDR feature) is defined for a user, the router dynamically configures a virtual profile (virtual access interface) for the user using information from these sources:
The process of creating a virtual access interface by applying all the commands in a virtual interface template is sometimes called cloning the template.
This section describes virtual profiles and the various ways they can work. For more information about configuring per-user information on an AAA server, see the "Per-User Configuration" feature. Per-user configuration information can include any commands and information that could have been used to configure a physical interface.
Virtual profiles separate per-user configuration information into two logical parts:
These two logical parts can be used separately or together.
Three separate cases are possible:
In the case of virtual profiles by virtual template, the following apply:
The router applies the configuration commands that are in the virtual interface template to create and configure the virtual profile. The template includes generic interface information and router-specific information, but no user-specific information. No matter whether a user dialed in on a synchronous serial, an asynchronous serial, or an ISDN physical interface, the dynamically created virtual profile for the user is configured as specified in the virtual template.
Then the router interprets the lines in the AAA server's authorization approval response as Cisco IOS commands to apply to the virtual profile for the user.
Data flows through the virtual profile, and the higher layers treat it as the user's interface. In the case of ISDN, data flows between the virtual access interface and the specific B channel the caller is using. This allows the possibility of configuring the other B channel differently for a different caller.
For example, if a virtual template included only the three commands ip unnumbered ethernet 0, encapsulation ppp, and ppp authentication chap, the virtual profile for any dialin user would include those three commands.
In Figure 23, the dotted box represents the virtual profile configured with the commands that are in the virtual template, no matter which interface the call arrives on.
See the "Configure Virtual Profiles by Virtual Template" section for configuration tasks for this case.
In this case, no dialer profile (DDR feature) is defined for the specific user and no virtual template for virtual profiles is defined, but virtual profiles by AAA is enabled on the router.
During the PPP authorization phase for the user, the AAA server responds as usual to the router. The authorization approval response contains configuration information for the user. The router interprets each of the lines in the AAA server's response packet as Cisco IOS commands to apply to the virtual profile for the user.
The router dynamically configures the virtual profile for this user using all the commands received from the AAA server. The commands in the user's configuration received from the AAA server override any conflicting commands that might have been set originally for the interface. This user might have different interface commands, different access lists, and so forth than set generally on the interface.
Suppose, for example, that the router interpreted the AAA server's response as including only the following two commands for this user:
ip address 10.10.10.10 255.255.255.255 keepalive 30
In Figure 24, the dotted box represents the virtual profile configured only with the commands received from the AAA server, no matter which interface the incoming call arrived on.
See the "Configure Virtual Profiles by AAA Configuration" section for configuration tasks for this case.
In this case, no DDR dialer profile is defined for the specific user, a virtual template for virtual profiles is defined, virtual profiles by AAA is enabled on the router, the router is configured for AAA, and a per-user configuration for the user is stored on the AAA server.
The router performs the following tasks in order:
If any command in the user's configuration conflict with a command on the original interface or a command applied by cloning the virtual template, the per-user command overrides the other command. The result is a virtual interface unique to that user.
Suppose that the router had the virtual template as defined in Case 1 and the AAA user configuration as defined in Case 2. In Figure 25 the dotted box represents the virtual profile configured with configuration information from both sources, no matter which interface the incoming call arrived on. The ip address command has overridden the ip unnumbered command.
See the "Configure Virtual Profiles by Both Virtual Template and AAA Configuration" section for configuration tasks for this case.
This feature runs on all Cisco IOS platforms that support Multilink PPP:
Use of per-user configuration information with virtual profiles requires the router to be configured for AAA and requires the AAA server (for example, a RADIUS server) to have per-user configuration configured. To define per-user configuration information on the AAA server, see the feature called "Per-User Configuration" in this feature guide.
Use of virtual interface templates with virtual profiles requires a virtual template to be defined for virtual profiles.
To configure virtual profiles for dialin users, complete the tasks in one of the first three sections and then troubleshoot the configuration by performing the tasks in the last section:
As indicated earlier in the "Interoperation with DDR" section, do not define a DDR dialer profile for a user if you intend to define virtual profiles for the user.
To configure virtual profiles by virtual template, complete these two tasks:
Because a virtual interface template is a serial interface, all the configuration commands that apply to serial interfaces can also be applied to virtual interface templates, except shutdown and dialer commands.
To create and configure a virtual interface template, complete the following tasks beginning in global configuration mode:
Other optional PPP configuration commands can be added to the virtual template configuration. For example, you can add the ppp authentication chap command.
To specify a virtual interface template as the source of information for virtual profiles, complete the following task in global configuration mode.
| Task | Command |
|---|---|
| Specify the virtual interface template as the source of information for virtual profiles. | virtual-profile virtual-template number |
Virtual template numbers range from 1 to 30.
In the case of virtual profiles by virtual template, any interface-specific information in AAA configuration is not applied to the virtual access interface; the information is ignored. However, the remaining configuration, such as access lists and route filters, is applied.
To configure virtual profiles by AAA per-user configuration, complete these three tasks:
To specify AAA as the source of information for virtual profiles, complete the following task in global configuration mode.
| Task | Command |
|---|---|
| Specify AAA as the source of per-user configuration. | virtual-profile aaa |
In this case, no virtual interface template is defined for virtual profiles.
To configure virtual profiles by both virtual interface template and AAA configuration, complete these steps:
Because a virtual interface template is a serial interface, all the configuration commands that apply to serial interfaces can also be applied to virtual interface templates, except shutdown and dialer commands.
To create and configure a virtual interface template, complete the following tasks beginning in global configuration mode:
Other optional PPP configuration commands can be added to the virtual template configuration. For example, you can add the ppp authentication chap command.
To specify both the virtual interface template and the AAA per-user configuration as sources of information for virtual profiles, complete the following tasks in global configuration mode.
| Task | Command |
|---|---|
| Define the virtual interface template as the source of information for virtual profiles. | virtual-profile virtual-template number |
| Specify AAA as the source of per-user configuration for virtual profiles. | virtual-profile aaa |
You can troubleshoot the virtual profiles configuration by using the following existing commands:
| Task | Command |
|---|---|
| Display information about the per-user configuration downloaded from the AAA server. | debug aaa per-user |
| Display cloning information for a virtual access interface from the time it is cloned from a virtual template to the time it comes down. | debug vtemplate |
The following sections provide examples for the three cases described in this chapter:
In these examples, physical interface S0 is not configured for any type of DDR, interfaces S1 and BRI0 are configured for legacy DDR, and interface BRI1 is configured for dialer profiles.
The intention of the examples is to show the interoperability of DDR and dialer profiles in the respective cases with various forms of virtual profiles.
In these examples, John is a normal user who sometimes wants special privileges. He asked his Internet Service Provider to make him a privileged user through AAA. As a normal user, he can dial in only through Serial1 and BRI0, but as a privileged user, he can dial in through any interface (Serial0, Serial1, BRI0 or BRI1). However, he can be reached only through Serial1 and BRI0. Rick also can dial in both as a normal user or as a privileged user. As normal user he can dial in through BRI1 and as privileged user through any of the remaining interfaces but can be reached only through BRI1.
In this example, the router is configured for virtual profiles by virtual template and the AAA configuration is downloaded from the server as usual, but any interface-specific information downloaded from AAA is ignored. Comments in the example draw attention to specific features or ignored lines.
In this example, the system administrator decides to filter routes being advertised to John and to apply access lists to Rick's dial-in connections. When John or Rick dials in through interface S1 or BRI 0 and authenticates, a virtual profile is created and route filters are applied to John and access lists are applied to Rick.
john Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:rte-fltr-out#0=router igrp 60",
cisco-avpair = "ip:rte-fltr-out#3=deny 171.0.0.0 0.255.255.255",
cisco-avpair = "ip:rte-fltr-out#4=deny 172.0.0.0 0.255.255.255",
cisco-avpair = "ip:rte-fltr-out#5=permit any"
rick Password = "emoclew"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:inacl#3=permit ip any any precedence immediate",
cisco-avpair = "ip:inacl#4=deny igrp 0.0.1.2 255.255.0.0 any",
cisco-avpair = "ip:outacl#2=permit ip any any precedence immediate",
cisco-avpair = "ip:outacl#3=deny igrp 0.0.9.10 255.255.0.0 any"
! Enable AAA on the router. aaa new-model aaa authentication ppp default radius aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! ! Specify configuration of virtual profiles by virtual template. virtual-profile virtual-template 1 ! ! Define the virtual template. interface Virtual-Template 1 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ! ! Configure the physical synchronous serial 0 interface. interface Serial 0 description Connected to 101 encapsulation ppp ! Disable fast switching. no ip route-cache ppp authentication chap ! ! Configure serial interface 1 for DDR. S1 uses dialer rotary group 0, which is ! defined on BRI interface 0. interface serial 1 description Connected to 102 encapsulation ppp dialer in-band ! Disable fast switching. no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 0 description Connected to 103 encapsulation ppp no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 1 description Connected to 104 encapsulation ppp ! Disable fast switching. no ip route-cache dialer pool-member 1 ppp authentication chap ! ! Configure dialer interface 0 for DDR for John, Rick, and Tom. interface dialer 0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp ! Enable legacy DDR. dialer in-band ! Disable fast switching. no ip route-cache dialer map ip 1.1.1.2 name john 1111 dialer map ip 1.1.1.3 name rick 2222 dialer-group 1 ppp authentication chap
This example shows the router configuration for virtual profiles by AAA and the AAA server configuration for a per-user configuration. John and Rick each want to have their own IP addresses when they are in privileged mode.
john Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "interface_config=ip address 100.100.100.100 255.255.255.0",
rick Password = "emoclew"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "interface_config=ip address 200.200.200.200 255.255.255.0"
! Enable AAA on the router. aaa new-model aaa authentication ppp default radius aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! ! Specify configuration of virtual profiles by aaa. virtual-profiles aaa ! ! Configure the physical synchronous serial 0 interface. interface Serial 0 description Connected to 101 encapsulation ppp ! Disable fast switching. no ip route-cache ppp authentication chap ! ! Configure serial interface 1 for DDR. S1 uses dialer rotary group 0, which is ! defined on BRI interface 0. interface serial 1 description Connected to 102 encapsulation ppp dialer in-band ! Disable fast switching. no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 0 description Connected to 103 encapsulation ppp no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 1 description Connected to 104 encapsulation ppp ! Disable fast switching. no ip route-cache dialer pool-member 1 ppp authentication chap ! ! Configure dialer interface 0 for DDR for John and Rick. interface dialer 0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp ! Enable legacy DDR. dialer in-band ! Disable fast switching. no ip route-cache dialer map ip 1.1.1.2 name john 1111 dialer map ip 1.1.1.3 name rick 2222 dialer-group 1 ppp authentication chap ! ! Configure dialer interface 1 for DDR to dial out to Rick. interface dialer 1 ip addr 2.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name rick dialer string 3333 dialer pool 1 dialer-group 1 ! Disable fast switching. no ip route-cache ppp authentication chap dialer-list 1 protocol ip permit
In this example, the router is configured for virtual profiles by both virtual templates and AAA configuration. Dial-in connections from John have route filters applied and dial-in connections from Rick have access lists applied; John and Rick each have a specified IP address.
john Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "interface_config=ip address 100.100.100.100 255.255.255.0",
cisco-avpair = "ip:rte-fltr-out#0=router igrp 60",
cisco-avpair = "ip:rte-fltr-out#3=deny 171.0.0.0 0.255.255.255",
cisco-avpair = "ip:rte-fltr-out#4=deny 172.0.0.0 0.255.255.255",
cisco-avpair = "ip:rte-fltr-out#5=permit any"
rick Password = "emoclew"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "interface_config=ip address 200.200.200.200 255.255.255.0",
cisco-avpair = "ip:inacl#3=permit ip any any precedence immediate",
cisco-avpair = "ip:inacl#4=deny igrp 0.0.1.2 255.255.0.0 any",
cisco-avpair = "ip:outacl#2=permit ip any any precedence immediate",
cisco-avpair = "ip:outacl#3=deny igrp 0.0.9.10 255.255.0.0 any"
! Enable AAA on the router. aaa new-model aaa authentication ppp default radius aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! ! Specify use of virtual profiles and a virtual template. virtual-profile virtual-template 1 virtual-profile aaa ! ! Define the virtual template. interface Virtual-Template 1 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ! ! Configure the physical synchronous serial interface. interface Serial 0 description Connected to 101 encapsulation ppp ! Disable fast switching. no ip route-cache ppp authentication chap ! ! Configure serial interface 1 for DDR. S1 uses dialer rotary group 0, which is ! defined on BRI interface 0. interface serial 1 description Connected to 102 encapsulation ppp dialer in-band ! Disable fast switching. no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 0 description Connected to 103 encapsulation ppp no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 1 description Connected to 104 encapsulation ppp ! Disable fast switching. no ip route-cache dialer pool-member 1 ppp authentication chap ! ! Configure dialer interface 0 to dial out to John and Rick. interface dialer 0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp dialer in-band ! Disable fast switching. no ip route-cache dialer map ip 1.1.1.2 name john 1111 dialer map ip 1.1.1.3 name rick 2222 dialer-group 1 ppp authentication chap ! ! Configure dialer interface 0 for DDR to dial out to Rick. interface dialer 1 ip addr 2.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name rick dialer string 3333 dialer pool 1 dialer-group 1 ! Disable fast switching. no ip route-cache ppp authentication chap ! dialer-list 1 protocol ip permit
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 11.2 command references.
To enable virtual profiles by AAA configuration, use the virtual-profile aaa global configuration command.
virtual-profile aaaThis command has no arguments or keywords.
Disabled
Global configuration
This command first appeared in Cisco IOS Release 11.2 F.
Effect of this command for any specific user depends on the router being configured for AAA and the AAA server being configured for that user's specific configuration information.
The following example configures virtual profiles by AAA configuration only.
virtual-profile aaa
aaa authentication
virtual-profile virtual-template
To enable virtual profiles by virtual interface template, use the virtual-profile virtual-template global configuration command.
virtual-profile virtual-template number| number | Number of the virtual template to apply, in the range 1 to 30. |
Disabled. No virtual template is defined, and no default virtual template number is used.
Global configuration
This command first appeared in Cisco IOS Release 11.2 F.
When virtual profiles are configured by virtual templates only, any interface-specific configuration information that is downloaded from the AAA server is ignored in configuring the virtual access interface for a user.
The interface virtual-template command defines a virtual template to be used for virtual profiles. Because several virtual templates might be defined for different purposes on the router (such as MLP, PPP over ATM, and virtual profiles), it is important to be clear about the virtual template number to use in each case.
The following example configures virtual profiles by virtual templates only. The number 2 was chosen because virtual template 1 was previously defined for use by Multilink PPP.
virtual-profile virtual-template 2
interface virtual-template
Refer to the "Per-User Configuration" feature description in this feature guide for more information about configuring the AAA server.
|
|