|
|
As a proxy, CiscoSecure Global Roaming Server (GRS) can authenticate users for login services such as Telnet and Rlogin. For example, after a roaming user has used a network access server (NAS) to establish a network connection, that user can run an MS-DOS window and log in to any remote UNIX or non-UNIX system in which the user has an account.
Authentications for a login service can be made across any combination of authentication, authorization, and accounting (AAA) protocols used between a CiscoSecure GRS, access control server (ACS), and NAS. Therefore, authentications can be made across Remote Access Dial-In User Service (RADIUS) to RADIUS, RADIUS to Terminal Access Controller Access Control System (TACACS+), TACACS+ to RADIUS, or TACACS+ to TACACS+.
Two kinds of login services can be created---Interactive and Directed.
An Interactive login service gives the user access to the command prompt of any remote NAS for which that user has a password.
A Directed login service gives the user access to the command prompt of any remote UNIX or non-UNIX system for which that user has an account (username and password).
Interactive and Directed login services require that a user have a profile created in the ACS.
Directed login services also require that the NAS be configured to use TACACS+ or RADIUS as the protocol used between it and CiscoSecure GRS, and that the directed login service be started on the NAS.
To create a profile on an ACS that uses TACACS+:
user = usersi {
password = clear "cisco"
service = shell {
}
}
To create a profile on an ACS that uses RADIUS:
usersi Password = "pass"User_Service_Type = Shell_User
To create a profile on an ACS using TACACS+:
user = usersd {
password = clear "cisco"
service = shell {
autocmd = "telnet 123.123.123.123"
}
{
To create a profile on an ACS using RADIUS:
usersd Password = "pass"User_Service_Type = Login Login_Service = Telnet Login_IP_Host = "123.123.123.123"
To tell the NAS which AAA protocol to use:
aaa authentication login default {tacacs+|radius}
aaa authorization exec {tacacs+|radius}
aaa authorization network {tacacs+|radius}
aaa accounting exec start-stop {tacacs+|radius}
aaa accounting network start-stop {tacacs+|radius}
To start the Directed login service on the NAS:
line 1 24 modem InOut transport input all exec
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Posted: Wed Feb 24 12:11:16 PST 1999
Copyright 1989-1999©Cisco Systems Inc.