cc/td/doc/product/access/acs_soft/cs_grs/cs_grs13
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Login Services

Login Services

As a proxy, CiscoSecure Global Roaming Server (GRS) can authenticate users for login services such as Telnet and Rlogin. For example, after a roaming user has used a network access server (NAS) to establish a network connection, that user can run an MS-DOS window and log in to any remote UNIX or non-UNIX system in which the user has an account.

Authentications for a login service can be made across any combination of authentication, authorization, and accounting (AAA) protocols used between a CiscoSecure  GRS, access control server (ACS), and NAS. Therefore, authentications can be made across Remote Access Dial-In User Service (RADIUS) to RADIUS, RADIUS to Terminal Access Controller Access Control System (TACACS+), TACACS+ to RADIUS, or TACACS+ to TACACS+.

Two kinds of login services can be created---Interactive and Directed.

Interactive Login

An Interactive login service gives the user access to the command prompt of any remote NAS for which that user has a password.

Directed Login

A Directed login service gives the user access to the command prompt of any remote UNIX or non-UNIX system for which that user has an account (username and password).

Examples

Interactive and Directed login services require that a user have a profile created in the ACS.

Directed login services also require that the NAS be configured to use TACACS+ or RADIUS as the protocol used between it and CiscoSecure  GRS, and that the directed login service be started on the NAS.

Configuring an Interactive Login Service

Starting an Interactive login service for a user requires that a profile be created for the user in the ACS. Examples are shown below. For more information, see the CiscoSecure  ACS  2.3 for UNIX User Guide.

Note An ACS typically has both TACACS+ and RADIUS protocols running.

To create a profile on an ACS that uses TACACS+:

user = usersi {

    password = clear "cisco"
service = shell {
}

}

To create a profile on an ACS that uses RADIUS:

usersi Password = "pass"

    User_Service_Type = Shell_User

Configuring a Directed Login Service

Creating a Directed login service for a user requires that a profile be created for the user in the ACS, that the NAS has the service running, and that the NAS is using the correct AAA protocol. Examples are shown below. For more information, see the CiscoSecure ACS 2.3 for UNIX User Guide.

To create a profile on an ACS using TACACS+:

user = usersd {

    password = clear "cisco"
service = shell {

      autocmd = "telnet 123.123.123.123"

}

{

To create a profile on an ACS using RADIUS:

usersd Password = "pass"

    User_Service_Type = Login
Login_Service = Telnet
Login_IP_Host = "123.123.123.123"

To tell the NAS which AAA protocol to use:

aaa authentication login default {tacacs+|radius}
aaa authorization exec {tacacs+|radius}
aaa authorization network {tacacs+|radius}
aaa accounting exec start-stop {tacacs+|radius}
aaa accounting network start-stop {tacacs+|radius}

To start the Directed login service on the NAS:

line 1 24
modem InOut
transport input all
exec


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Feb 24 12:11:16 PST 1999
Copyright 1989-1999©Cisco Systems Inc.