|
|
This appendix describes how to configure the NAS and presents a sample configuration you can use with CiscoSecure GRS.
For complete information about a specific Cisco IOS release or more detailed configurations, see the Router Products Configuration Guide or the Configuration Fundamentals Configuration Guide publication.
To use CiscoSecure GRS you must add or modify the following four lines in your ACS configuration file:
tacacs-server host 10.0.0.1 port 1024 ;add one port for a single connection where 10.0.0.1 is the
;address of the machine running CiscoSecure GRS
tacacs-server timeout 20 ;default is 10; increase to 20 for CiscoSecure GRS
no tacacs-server directed-request ;add--required by CiscoSecure GRS if you do not already
;have directed-request configured
tacacs-server key nas ;add--required by CiscoSecure GRS
For an async dial-in interface on a NAS, you must use the command:
async mode dedicated
Do not use the command:
async mode interactive
Therefore, SLIP connections are not supported.
The following sample configuration is for a Cisco AS5200 access server using TACACS+ connected to a CiscoSecure GRS. You can use this sample configuration for quick, easy NAS setup or modify it as necessary:
! version 11.2 service udp-small-servers service tcp-small-servers ! hostname host-5200 ! aaa new-model aaa authentication ppp default tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ ! username mary nopassword ip host-routing isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Ethernet0 ip address 10.0.0.5 255.255.255.224 no ip mroute-cache ! interface Serial0:23 ip unnumbered Ethernet0 no ip mroute-cache encapsulation ppp autodetect encapsulation ppp isdn incoming-voice modem dialer-group 1 no fair-queue no cdp enable ppp authentication chap ppp multilink ! interface Serial1:23 no ip address no ip mroute-cache encapsulation ppp no fair-queue no cdp enable ppp multilink ! interface Async25 no ip address no ip mroute-cache ! interface Group-Async1 ip unnumbered Ethernet0 no ip mroute-cache encapsulation ppp async default routing async dynamic address async mode dedicated peer default ip address pool local no fair-queue no cdp enable ppp authentication chap ppp multilink group-range 1 24 ! ip local pool local 10.0.0.8 10.0.0.9 no ip classless tacacs-server host 10.0.0.6 port 1024 ;for a single connection tacacs-server timeout 20 ;default is 10; increase to 20 no tacacs-server directed-request ;if directed-request is not configured tacacs-server key nas dialer-list 1 protocol ip permit radius-server host 10.0.0.7 radius-server key isp1 ! line con 0 exec-timeout 0 0 login authentication console line 1 24 modem InOut autocommand ppp default transport input all line aux 0 line vty 0 4 password lab ! end
This section provides guidelines and sample ACS configurations for VPDN.
The following is a sample VPDN domain entry at a remote RADIUS server. Note that the RADIUS server must understand cisco-avpair. The only RADIUS server that natively understands cisco-avpair is CiscoSecure ACS 2.1 or later. Other RADIUS servers require source code modifications to enable this feature. See your ACS documentation for details.
rad.vpdn Password = "cisco",User-Service=Outbound-User
cisco-avpair="vpdn:tunnel-id=nas@corporation.com",
cisco-avpair="vpdn:nas-password=nasSecret",
cisco-avpair="vpdn:gw-password=gwnasSecret",
cisco-avpair="vpdn:ip-addresses=10.0.0.0"
There are two rules for matching domains:
The following rules apply if you are using CiscoSecure GRS with VPDNs:
aaa authentication ppp RADIUS local usernameTunnel IDpasswordpasswordusernameHG IDpasswordpassword
The following are example configurations that can be used with Cisco NASes. You will need to edit the examples to reflect your own configuration.
The following sample configuration for VPDN can be used for a Cisco AS5200 access server. This Cisco AS5200 access server will initially receive the call from the user and pass AAA requests to CiscoSecure GRS.
! version 11.2 service timestamps debug datetime msec service udp-small-servers service tcp-small-servers ! hostname nasisp ! aaa new-model aaa authentication login default noaaa local aaa authentication ppp default tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ enable password secret ! username console password 7 0110090A48040A0A ip address-pool local vpdn enable isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24
! controller T1 1 ! interface Ethernet0 ip address 10.0.0.0 255.255.255.0 no mop enabled ! interface Serial0:23
ip unnumbered Ethernet0
no ip mroute-cache
encapsulation ppp
isdn incoming-voice data
dialer-group 1
no peer default ip address no fair-queue ppp authentication chap ppp multilink ! no ip classless ip route 10.1.1.0 255.255.255.0 Serial0 ! tacacs-server host 10.1.5.5 port 1024 tacacs-server timeout 20 tacacs-server key ciscoradius no tacacs-server directed-request ! line con 0 exec-timeout 0 0 login authentication noaaa line 1 24 line aux 0 autoselect during-login autoselect ppp line vty 0 exec-timeout 0 0 password secret login authentication noaaa length 46 line vty 1 4 password secret login authentication noaaa ! end
The following sample configuration is for a Cisco AS5200 access server using RADIUS connected to a CiscoSecure GRS. You can use this sample configuration for quick, easy NAS setup or modify it as necessary:
! version 11.2 service timestamps debug datetime msec service udp-small-servers service tcp-small-servers ! hostname nasisp ! aaa new-model aaa authentication ppp default radius local aaa authorization network radius aaa accounting network start-stop radius enable password secret ! username console password 7 0110090A48040A0A ip address-pool local vpdn enable isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 ! interface Ethernet0 ip address 10.0.0.0 255.255.255.0 no mop enabled ! interface Serial0:23
ip unnumbered Ethernet0
no ip mroute-cache
encapsulation ppp
isdn incoming-voice data
dialer-group 1
no peer default ip address no fair-queue ppp authentication chap ppp multilink ! no ip classless ip route 10.1.1.0 255.255.255.0 Serial0 ! radius-server host 10.1.5.5 auth-port 2045 acct-port 2046 radius-server timeout 20 radius-server key ciscoradius ! line con 0 exec-timeout 0 0 login authentication noaaa line 1 24 line aux 0 autoselect during-login autoselect ppp line vty 0 exec-timeout 0 0 password secret login authentication noaaa length 46 line vty 1 4 password secret login authentication noaaa ! end
The following sample configuration for VPDN can be used for a Cisco 3600 access server that is functioning as a home gateway (HG):
! version 11.2 service timestamps debug datetime msec no service udp-small-servers no service tcp-small-servers
! hostname gwcorporation ! aaa new-model aaa authentication login noaaa local aaa authentication ppp default tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ enable password secret ! ip address-pool local vpdn enable vpdn incoming nastunnel@corporation.us gwcorporation@corporation.us virtual-template 1 isdn switch-type basic-ni1 ! interface Ethernet0/0 ip address 10.2.6.6 255.255.255.0 ! interface Serial1/0 physical-layer async ip unnumbered Ethernet0/0 encapsulation ppp async dynamic address async dynamic routing async mode interactive peer default ip address pool ippool1 dialer in-band dialer-group 1 no cdp enable ppp authentication chap ! interface Virtual-Template1 ip unnumbered Ethernet0/0 no ip mroute-cache no peer default ip address ppp authentication chap ppp multilink ! ip local pool ippool1 10.2.10.3 10.1.1.4 no ip classless ! tacacs-server host 10.2.10.10 tacacs-server timeout 20 tacacs-server key ciscoradius ! line con 0 exec-timeout 0 0 password secret login authentication noaaa line 17 autoselect during-login autoselect ppp modem InOut modem autoconfigure type usr_sportster transport preferred telnet transport input all telnet transparent stopbits 1 speed 2400 flowcontrol hardware line 18 autoselect ppp modem InOut modem autoconfigure type usr_sportster transport preferred telnet transport input all telnet transparent stopbits 1 speed 2400 flowcontrol hardware line aux 0 line vty 0 exec-timeout 0 0 password secret login authentication noaaa line vty 1 4 exec-timeout 20 0 password secret login authentication noaaa ! end
You can use other commands to tailor the operation of the NAS with either the TACACS+ or the RADIUS protocol. See the Router Products Command Reference or Configuration Fundamentals Command Reference publications for a detailed list of commands.
|
|