|
|
This appendix presents samples of profiles that contain attributes for the groups that will be using several different protocols and includes the following sections:
These samples list only the minimum necessary attributes and values, and the steps presented are general steps only. See the chapter "Managing User Authentication and Authorization" for instructions on adding groups and configuring group profiles.
 | Time Saver First add and configure the group and then add a new user to the group. The user will inherit the attributes and values assigned to the group. |
This section contains sample profiles for TACACS+ groups.
Follow these general steps to configure a profile for a group using a PPP dialup connection using IP or an ISDN connection:
Step 1 Add a new group: tacgroup1.
Step 2 Add a CHAP or PAP password to the profile.
Step 3 Add SERVICE=PPP to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
Step 5 Add the IPX protocol if needed:
Be sure to have your Cisco network access server (NAS) set for AAA, modem access, PPP encapsulation, and the CHAP or PAP authentication method.
Follow these general steps to configure a Simple Async SLIP group profile:
Step 1 Add a new group: tacgroup2.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SLIP to the profile.
Step 4 Add the following Protocol Set(s) under SERVICE=PPP:
Be sure to have your Cisco NAS set for AAA, modem access, and SLIP encapsulation.
Follow these general steps to configure a Simple Async Shell group profile:
Step 1 Add a new group: tacgroup3.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
Be sure to have your Cisco NAS set for AAA with login.
Follow these general steps to configure a group profile for Simple Async Shell that will issue an autocommand:
Step 1 Add a new group: tacgroup4.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
Be sure to have your Cisco NAS set for AAA and to enable Authorization EXEC.
This section contains sample profiles for RADIUS groups.
Groups can use more than one protocol; for example, ISDN from home and Frame Relay from a branch office, as long as the profiles are the same except for the protocol. The NAS the group dials in to is a determining factor for which protocol is used.
Follow these general steps to configure a Simple Asynchronous PPP group profile:
Step 1 Add a new group: ciscoasync.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the Reply Attributes and Checked Items in Table C-1.
| Attributes | Value | ||
|---|---|---|---|
| Reply Attributes | |||
| 2 | User-Service-Type | 2 | Framed-User (enumeration) |
| 1 | Framed-Protocol | PPP (enumeration) | |
| Checked Items | |||
| 2 | Password | dialup (actual password) |
Be sure to have your Cisco NAS set for AAA, modem access, and PPP encapsulation.
Follow these general steps to configure a Simple ISDN group profile:
Step 1 Add a new group: ciscoisdn.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table C-2.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Framed-User (enumeration) |
| 1 | Framed-Protocol | PPP (enumeration) | |
| Checked Items | |||
| 2 | Password | isdnuser (actual password) |
Be sure to have your Cisco NAS set for AAA service, PPP encapsulation, and ISDN.
Follow these general steps to configure a minimum profile for an Async SLIP group profile:
Step 1 Add a new group: ciscoslip.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table C-3.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Login-User (enumeration) |
| 1 | Framed-Protocol | SLIP (enumeration) | |
| Checked Items | |||
| 2 | Password | dialupslip (actual password) | |
Follow these general steps to configure a minimum profile for an Asynchronous Telnet Shell group profile:
Step 1 Add a new group: ciscoshell.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table C-4.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Shell-User (enumeration) |
| Checked Items | |||
| 2 | Password | dialupshell (actual password) |
Be sure to have your Cisco NAS set for AAA, with login, TTY lines, and modem access.
Follow these general steps to configure a minimum profile for an Asynchronous Telnet group profile:
Step 1 Add a new group: ciscotelnet.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table C-5.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Login-User (enumeration) |
| 14 | Login-Host | 200.200.200.210 (ipaddrs) | |
| 15 | Login-Service | 0 | Telnet (enumeration) |
| 16 | Login-TCP-Por | 23 | (port ID-integer) |
| 1 | Framed-Protocol | PPP (enumeration) | |
| Checked Items | |||
| 2 | Password | dialuptelnet (actual password) |
Be sure to have your Cisco NAS set for login and modem access. Use this profile for autologin to a different host.
|
|