|
|
This document includes the following sections:
The User Maximum Links feature provides a method to limit the number of inbound connections a user can establish with a device. This maximum connection limit is only imposed on links that have name authentication configured.
Previously, there was no method to limit the number of connections a user could establish.
In multilink environments, each PPP multilink connection is counted as one connection.
The User Maximum Links feature enables ISPs to limit the number of inbound connections a user can establish so that they can provide various levels of subscriptions at different costs.
Users who desire more bandwidth can be charged a higher rate to establish multiple connections, while users who require only a single connection can be charged a discounted rate.
For more information on AAA and PPP encapsulation, see:
For more information on PPP encapsulation, see:
All Cisco IOS platforms running Cisco IOS Release 12.0(5)T or later.
None
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
None
None
Before using the User Maximum Links feature, you need to complete the following tasks:
See the following sections for configuration tasks for the User Maximum Links feature. Each task in the list indicates if the task is optional or required.
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#aaa new-model | Enables the AAA access control system. This command immediately locks down login and PPP authentication. | ||
| Specifies that network-related service requests will be authorized by using the local database. To limit the number of user links, local authorization must be used. | |||
| Router(config)# | Adds a username that cannot establish more connections than the number specified by the link-number argument. |
Step 1 Enter a test username command that can only establish one connection:
Router(config)#username althea user-maxlinks 1 password settleback
Step 2 Configure AAA, name authentication, and PPP encapsulation on the interfaces that will be used as described in the following configuration example.
Step 3 Use the show running-config command to verify the configuration.
Step 4 Connect to the router using the connection-limited username.
Step 5 Attempt to open a second connection.
Step 6 Observe the failed PPP authentication.
In the following example, a user with the username sTephen can establish a maximum of five connections. sTephen can connect through serial interface 1/0, which has a dialer map configured for him or through PRI interface 0/0:23, which has dialer profile interface 0 dedicated to him.
The aaa authorization network default local command must be configured. PPP encapsulation and authentication must be enabled on all the interfaces sTephen can connect to.
aaa new-model aaa authorization network default local enable secret saintstephen enable password witharose ! username sTephen user-maxlinks 5 password gardenhegoes ! interface Serial0/0:23 no ip address encapsulation ppp dialer pool-member 1 ppp authentication chap ppp multilink ! interface Serial1/0 ip address 2.2.2.4 255.255.255.0 encapsulation ppp dialer in-band dialer map ip 2.2.2.13 name sTephen 12345 dialer-group 1 ppp authentication chap ! interface Dialer0 ip address 1.1.1.4 255.255.255.0 encapsulation ppp dialer remote-name sTephen dialer string 23456 dialer pool 1 dialer-group 1 ppp authentication chap ppp multilink ! dialer-list 1 protocol ip permit
This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publication.
To specify the password to be used in the PPP Challenge Handshake Authentication Protocol (CHAP) caller identification and Password Authentication Protocol (PAP), use the username global configuration command. To remove a username from the configuration, use the no form of this command.
username name [user-maxlinks link-number] password secret
name | Host name, server name, user ID, or command name. |
user-maxlinks | Limits the number of links the user can establish. |
link-number | The maximum number of links allowed. |
password | An encrypted password for this username. |
secret | For CHAP authentication: specifies the secret password for the local router or access server or the remote device. The secret password is encrypted when it is stored on the local router or access server. This prevents the secret password from being stolen. The secret password can consist of any string of up to 11 printable ASCII characters, but cannot include spaces or underscores. There is no limit to the number of username-password combinations that can be specified, allowing any number of remote devices to be authenticated. |
No password is predefined.
Global configuration
| Release | Modification |
|---|---|
11.1 | This command was introduced. |
12.0(5)T | The user-maxlinks keyword and link-number argument were added. |
Supply a name entry for the name argument for each remote system from which the local router or access server requires authentication.
The username command is required as part of the configuration for authentication protocols, such as CHAP and PAP. For each remote system that the local router or access server communicates with from which it requires authentication, you add a corresponding username command.
To use the user-maxlinks keyword, you must also use the aaa authorization network default local command, and PPP encapsulation and name authentication on all the interfaces the user will be accessing.
If no secret password is specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the authentication protocol challenge is not implemented. Debugging information about authentication protocols is available using the debug serial-interface and debug serial-packet commands. See the Debug Command Reference publication for more information.
The following example configuration enables CHAP on serial interface 0. It also defines a password for local server Adam and remote server Eve. Eve can establish a maximum of five inbound connections to Adam.
hostname Adam interface serial 0 encapsulation ppp ppp authentication chap username Eve user-maxlinks 5 password theirsystem
When you look at your configuration file, the passwords will be encrypted, and the display will look similar to the following:
hostname Adam interface serial 0 encapsulation ppp ppp authentication chap username Eve user-maxlinks 5 password 7 121F0A18
| Command | Description |
hostname | Specifies or modifies the host name for the network server. |
Posted: Thu Aug 5 09:26:02 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.