|
|
This feature module describes how to configure a Cisco router or access server to use the Dialed Number Information Service (DNIS) to select a particular authentication, authorization, and accounting (AAA) server group.
This document includes the following sections:
In past Cisco IOS releases, authentication and accounting services (otherwise referred to as AAA services) have been implemented in one of the following methods:
With Cisco IOS Release 12.0(6)T, you can now select a AAA server group (to which authentication and accounting requests will be sent) using DNIS. Using this new Selecting AAA Server Groups Based on DNIS feature, you can specify the same server group for AAA services or a separate server group for each AAA service. You can now configure authentication and accounting on different physical devices and provide fail-over backup support.
This feature obsoletes the previous Cisco IOS Release 12.0(2)T AAA DNIS Map feature.
AAA is extremely flexible; each of the three methods described for defining AAA services can be configured on the same network access server simultaneously. Because each of these AAA configuration methods can be configured simultaneously, Cisco has established an order of precedence to determine which server or groups of servers provide AAA services. The order of precedence is as follows:
The Selecting AAA Server Groups Based on DNIS feature provides the following benefits:
This feature obsoletes the previous AAA DNIS Map feature as described in the Cisco IOS Release 12.0(2)T Selecting AAA Servers Using DNIS Numbers feature module.
This feature is supported on all platforms supporting AAA.
No new or modified standards are supported by this feature.
No new or modified MIBS are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
No new or modified RFCs are supported by this feature.
Before you can configure your network access server to select a AAA server group based on the DNIS, you need to configure the remote security servers associated with each AAA server group. AAA recognizes two different security server protocols for AAA server groups: RADIUS and TACACS+. For more information about configuring your network access server to support either RADIUS or TACACS+, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
See the following sections for configuration tasks for the Selecting AAA Server Groups Based on DNIS feature. Each task in the list indicates if the task is optional or required.
To configure your network access server to select a particular AAA server group based on the DNIS of the group, enable AAA using the following command:
| Command | Purpose |
|---|---|
Router(config)#aaa new-model | Enables AAA security services globally. |
For more information about enabling AAA, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
After you have enabled AAA, define the parameters associated with each security server that is associated with that AAA server group by using the following commands:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#radius-server host ip-address [auth-port port-number] [acct-port port-number] or Router(config)#tacacs-server host ip-address [auth-port port-number] [acct-port port-number] | Specifies the security server protocol and defines security server host IP address. AAA recognizes two different protocols for AAA server groups: RADIUS and TACACS+. | ||
| Router(config)#radius-server key key or Router(config)#tacacs-server key key | Defines security server secret shared key. |
For more information about configuring RADIUS or TACACS+ on the network access server, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
The next step in configuring your network access server to select AAA server groups by DNIS is to define the name of the security server groups and then associate the appropriate security servers to the group using the following commands:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#aaa group server {radius | tacacs+}
group-name
| Specifies the security protocol associated with the AAA server group and defines the name of the AAA server group. | ||
| Router(config-sg-radius)#server ip-address or Router(config-sg-tacacs+)#server ip-address | Associates a particular RADIUS server with the defined server group. Each security server is identified by its IP address. Repeat this step for each RADIUS server in the AAA server group.
Associates a particular TACACS+ server with the defined server group. Each security server is identified by its IP address. Repeat this step for each TACACS+ server in the AAA server group. |
For more information about configuring AAA security server groups, refer to the Cisco IOS Release 12.0(5)T AAA Server Groups feature module.
The final step in configuring the network access server to select a particular AAA server group based on the DNIS of the server group is to configure DNIS mapping. In essence, you need to enable DNIS mapping, then associate the previously defined AAA server group---and whether the devices in it are processing authentication or accounting requests---with a DNIS using the following commands:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#aaa dnis map enable | Enables DNIS mapping. | ||
| Router(config)#aaa dnis map dnis-number authentication ppp group server-group-name | Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authentication. | ||
| Router(config)#aaa dnis map dnis-number accounting network [none | start-stop | stop-only | wait-start] group server-group-name | Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for accounting. |
The following example selects RADIUS server groups based on DNIS to provide specific AAA services:
! This command enables AAA. aaa new-model ! ! The following set of commands configures the RADIUS attributes for each server
! that will be associated with one of the defined server groups. radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco1 radius-server host 172.17.0.1 auth-port 1645 acct-port 1646 key cisco2 radius-server host 172.18.0.1 auth-port 1645 acct-port 1646 key cisco3 radius-server host 172.19.0.1 auth-port 1645 acct-port 1646 key cisco4 radius-server host 172.20.0.1 auth-port 1645 acct-port 1646 key cisco5 ! The following commands define the sg1 RADIUS server group and associates servers
! with it. aaa group server radius sg1
server 172.16.0.1 server 172.17.0.1
! The following commands define the sg2 RADIUS server group and associates a server
! with it. aaa group server radius sg2
server 172.18.0.1
! The following commands define the sg3 RADIUS server group and associates a server
! with it. aaa group server radius sg3
server 172.19.0.1
! The following commands define the default-group RADIUS server group and associates
! a server with it. aaa group server radius default-group
server 172.20.0.1
! ! The next set of commands configures default-group RADIUS server group parameters. aaa authentication ppp default group default-group aaa accounting network default start-stop group default-group ! ! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined
! RADIUS server groups. In this configuration, all PPP connection requests using DNIS
! 7777are sent to the sg1 server group. The accounting records for these connections
! (specifically, start-stop records) are handled by the sg2 server group. Calls with a
! DNIS of 8888 use server group sg3 for authentication and server group default-group
! for accounting. Calls with a DNIS of 9999 use server group default-group for
! authentication and server group sg3 for accounting records (stop
! records only.) All other calls with DNIS other than the ones defined use the server
! group default-group for both authentication and stop-start accounting records. aaa dnis map enable aaa dnis map 7777 authentication ppp group sg1 aaa dnis map 7777 accounting network start-stop group sg2 aaa dnis map 8888 authentication ppp group sg3 aaa dnis map 9999 accounting network stop-only group sg3
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications and Cisco IOS Release 12.0 T feature modules.
To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (this server group will be used for AAA accounting), use the aaa dnis map accounting network group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number accounting network [none | start-stop | stop-only | wait-start] group server-group-name
dnis-number | Number of the DNIS. |
none | (Optional) Indicates that the defined security server group will not send accounting notices. |
start-stop | (Optional) Indicates that the defined security server group will send a start-accounting notice at the beginning of a process and a stop-accounting notice at the end of a process. The start-accounting record is sent in the background. (The requested user process begins regardless of whether the start accounting notice was received by the accounting server.) |
stop-only | (Optional) Indicates that the defined security server group will send a stop-accounting notice at the end of the requested user process. |
wait-start | (Optional) Indicates that the security server group will send both a start and a stop-accounting notice to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start-accounting notice is acknowledged. A stop-accounting notice is also sent. |
server-group-name | Character string used to name a group of security servers associated in a server group. |
Disabled
Global configuration
| Release | Modification |
|---|---|
12.0(7)T | This command was introduced. |
This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777.
Router(config)# aaa new-model Router(config)# radius-server host 172.30.0.0 acct-port 1646 key cisco1 Router(config)# aaa group server radius group1 Router(config-sg-radius)# server 172.30.0.0 Router(config)# aaa dnis map enable Router(config)# aaa dnis map 7777 accounting network group group1
| Command | Description |
|---|---|
aaa new-model | Enables the AAA access control model. |
aaa dnis map authentication ppp group | Maps a DNIS number to a AAA server group used for authentication services. |
aaa dnis map enable | Enables AAA server selection based on DNIS number. |
aaa group server | Groups different server hosts into distinct lists and methods. |
radius-server host | Specifies and defines the IP address of the RADIUS server host. |
To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (this server group will be used for AAA authentication), use the aaa dnis map authentication ppp group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number authentication ppp group server-group-name
dnis-number | Number of the DNIS. |
server-group-name | Character string used to name a group of security servers associated in a server group. |
Disabled
Global configuration
| Release | Modification |
|---|---|
12.0(6)T | This command was introduced. |
This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process authentication requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS 7777.
Router(config)# aaa new-model Router(config)# radius-server host 172.30.0.0 auth-port 1645 key cisco1 Router(config)# aaa group server radius group1 Router(config-sg-radius)# server 172.30.0.0 Router(config)# aaa dnis map enable Router(config)# aaa dnis map 7777 authentication ppp group group1
| Command | Description |
|---|---|
aaa new-model | Enables the AAA access control model. |
aaa dnis map accounting network group | Maps a DNIS number to a AAA server group used for accounting services. |
aaa dnis map enable | Enables AAA server selection based on DNIS number. |
aaa group server | Groups different server hosts into distinct lists and methods. |
radius-server host | Specifies and defines the IP address of the RADIUS server host. |
Posted: Fri Dec 10 18:56:26 PST 1999
Copyright 1989-1999©Cisco Systems Inc.