|
|
This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS technology. The "RADIUS Configuration Task List" section describes how to configure RADIUS with the authentication, authorization, and accounting (AAA) command set.
For a complete description of the RADIUS commands used in this chapter, refer to the "RADIUS Commands" chapter in the Cisco IOS Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.
This chapter includes the following sections:
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.
Use RADIUS in the following network environments that require access security:
RADIUS is not suitable in the following network security situations:
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
a. ACCEPT---The user is authenticated.
b. REJECT---The user is not authenticated and is prompted to reenter the username and password, or access is denied.
c. CHALLENGE---A challenge is issued by the RADIUS server. The challenge collects additional data from the user.
d. CHANGE PASSWORD---A request is issued by the RADIUS server, asking the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:
To configure RADIUS on your Cisco router or access server, you must perform the following tasks:
The following configuration tasks are optional:
This section describes how to set up RADIUS for authentication, authorization, and accounting on your network, and includes the following sections:
For RADIUS configuration examples using the commands in this chapter, refer to the "RADIUS Configuration Examples" section at the end of the this chapter.
The RADIUS host is normally a multiuser system running RADIUS server software from Livingston, Merit, Microsoft, or another software provider. Configuring router to RADIUS server communication can have several components:
RADIUS security servers are identified on the basis of their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service---for example, accounting---the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the router.
The timeout, retransmission, and encryption key values are configurable globally for all RADIUS servers, on a per-server basis, or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the router, use the three unique global commands: radius-server timeout, radius-server retransmit, and radius-server key. To apply these values on a specific RADIUS server, use the radius-server host command.
 |
Note You can configure both global and per-server timeout, retransmission, and key value commands simultaneously on the same Cisco network access server. If both global and per-server functions are configured on a router, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. |
To configure per-server RADIUS server communication, use the following command in global configuration mode:
| Command | Purpose | ||
|---|---|---|---|
radius-server host {hostname | ip-address}
[auth-port port-number] [acct-port port-number]
[timeout seconds] [retransmit retries] [key
string]
| Specifies the IP address or host name of the remote RADIUS server host and assign authentication and accounting destination port numbers. Use the auth-port port-number option to configure a specific UDP port on this RADIUS server to be used solely for authentication. Use the acct-port port-number option to configure a specific UDP port on this RADIUS server to be used solely for accounting. To configure the network access server to recognize more than one host entry associated with a single IP address, simply repeat this command as many times as necessary, making sure that each UDP port number is different. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host. If no timeout is set, the global value is used; otherwise, enter a value in the range 1 to 1000. If no retransmit value is set, the global value is used; otherwise enter a value in the range 1 to 1000. If no key string is specified, the global value is used.
|
To configure global communication settings between the router and a RADIUS server, use the following radius-server global configuration commands:
| Command | Purpose | |
|---|---|---|
Step1 | radius-server key string | Specifies the shared secret text string used between the router and a RADIUS server. |
Step2 | radius-server retransmit retries | Specifies the number of times the router transmits each RADIUS request to the server before giving up (the default is three). |
Step3 | radius-server timeout seconds | Specifies the number of seconds a router waits for a reply to a RADIUS request before retransmitting the request. |
Step4 | radius-server deadtime minutes | Specifies the number of minutes a RADIUS server, which is not responding to authentication requests, is passed over by requests for RADIUS authentication. |
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the following format:
protocol : attribute sep value *
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"
The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands:
cisco-avpair= "shell:priv-lvl=15"
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)."
To configure the network access server to recognize and use VSAs, use the following command in global configuration mode:
| Command | Purpose |
|---|---|
radius-server vsa send [accounting | authentication] | Enables the network access server to recognize and use VSAs as defined by RADIUS IETF attribute 26. |
For a complete list of RADIUS attributes or more information about vendor-specific attribute26, refer to the "RADIUS Attributes" appendix.
Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. CiscoIOS software supports a subset of vendor-proprietary RADIUS attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the Cisco device. You specify the RADIUS host and secret text string by using the radius-server commands. To identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard command. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.
To specify a vendor-proprietary RADIUS server host and a shared secret text string, use the following commands in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step1 | radius-server host {hostname | ip-address}
non-standard
| Specifies the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS. |
Step2 | radius-server key string | Specifies the shared secret text string used between the router and the vendor-proprietary RADIUS server. The router and the RADIUS server use this text string to encrypt passwords and exchange responses. |
Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. Each network access server then queries the RADIUS server for static route and IP pool information.
To have the Cisco router or access server query the RADIUS server for static routes and IP pool definitions when the device first starts up, use the following command in global configuration mode:
| Command | Purpose |
|---|---|
radius-server configure-nas | Tells the Cisco router or access server to query the RADIUS server for the static routes and IP pool definitions used throughout its domain. |
|
NoteBecause the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you issue a copy system:running config nvram:startup-config command. |
There are some situations when PPP or login authentication occurs on an interface different from the interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface "ttt" but the call itself occurs on one of the channels of the ISDN interface.
The radius-server attribute nas-port extended command configures RADIUS to expand the size of the NAS-Port attribute (RADIUS IETF attribute 5) field to 32 bits. The upper 16bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16bits indicate the interface undergoing authentication.
To display expanded interface information in the NAS-Port attribute field, use the following command in global configuration mode:
| Command | Purpose |
|---|---|
radius-server attribute nas-port extended | Expands the size of the NAS-Port attribute from 16 to 32bits to display extended interface information. |
|
NoteThis command replaces the radius-server extended-portnames command. |
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port=20101.
Once again, this is because of the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF attribute 26). Cisco's vendor-ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the following commands in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step1 | radius-server vsa send [accounting | authentication] | Enables the network access server to recognize and use vendor-specific attributes as defined by RADIUS IETF attribute 26. |
Step2 | aaa nas port extended | Expands the size of the VSA NAS-Port field from 16 to 32 bits to display extended interface information. |
The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
For a complete list of RADIUS attributes, refer to the "RADIUS Attributes" appendix.
Configuring the router to use AAA server groups provides a way to group existing server hosts. This allows you to select a subset of the configured server hosts and use them for a particular service. A server group is used in conjunction with a global server-host list. The server group lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service---for example, accounting---the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
To define a server host with a server group name, enter the following commands in global configuration mode. The listed server must exist in global configuration mode:
| Command | Purpose | |||
|---|---|---|---|---|
Step1 | Router(config)#radius-server host {hostname |
ip-address} [auth-port port-number] [acct-port
port-number] [timeout seconds] [retransmit retries]
[key string]
| Specifies and defines the IP address of the server host before configuring the AAA server-group. Refer to the "Configuring Router to RADIUS Server Communication" section for more information on the radius-server host command. | ||
Step2 | Router(config-if)#aaa group server {radius |
tacacs+} group-name
| Defines the AAA server-group with a group name. All members of a group must be the same type; that is, RADIUS or TACACS+. This command puts the router in server group subconfiguration mode. | ||
Step3 | Router(config-sg)#server ip-address [auth-port port-number] [acct-port port-number] | Associates a particular RADIUS server with the defined server group. Each security server is identified by its IP address and UDP port number. Repeat this step for each RADIUS server in the AAA server group.
|
Cisco IOS allows you to authenticate users to a particular AAA server group based on the session's Dialed Number Identification Service (DNIS) number. Any phone line (a regular home phone or a commercial T1/PRI line) can be associated with several phone numbers. The DNIS number identifies the number that was called to reach you.
For example, suppose you want to share the same phone number with several customers, but you want to know which customer is calling before you pick up the phone. You can customize how you answer the phone because DNIS allows you to know which customer is calling when you answer.
Cisco routers with either ISDN or internal modems can receive the DNIS number. This functionality allows users to assign different RADIUS server groups for different customers (that is, different RADIUS servers for different DNIS numbers). Additionally, using server groups you can specify the same server group for AAA services or a separate server group for each AAA service.
Cisco IOS software provides the flexibility to implement authentication and accounting services in several ways:
Because each of these AAA configuration methods can be configured simultaneously, Cisco has established an order of precedence to determine which server or groups of servers provide AAA services. The order of precedence is as follows:
|
NotePrior to configuring AAA Server Group Selection Based on DNIS, you must configure the list of RADIUS server hosts and configure the AAA server groups. See the "Configuring Router to RADIUS Server Communication" and "Configuring AAA Server Groups" sections in this chapter. |
To configure the router to select a particular AAA server group based on the DNIS of the server group, configure DNIS mapping. To map a server group with a group name with DNIS number, use the following commands in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step1 | Router(config)#aaa dnis map enable | Enables DNIS mapping. |
Step2 | Router(config)#aaa dnis map dnis-number authentication ppp group server-group-name | Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authentication. |
Step3 | Router(config)#aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name | Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for accounting. |
After you have identified the RADIUS server and defined the RADIUS authentication key, you need to define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through AAA, you need to enter the aaa authentication command, specifying RADIUS as the authentication method. For more information, refer to the "Configuring Authentication" chapter.
AAA authorization lets you set parameters that restrict a user's network access. Authorization using RADIUS provides one method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet. Because RADIUS authorization is facilitated through AAA, you need to issue the aaa authorization command, specifying RADIUS as the authorization method. For more information, refer to the "Configuring Authorization" chapter.
The AAA accounting feature enables you to track the services users are accessing as well as the amount of network resources they are consuming. Because RADIUS accounting is facilitated through AAA, you need to issue the aaa accounting command, specifying RADIUS as the accounting method. For more information, refer to the "Configuring Accounting" chapter.
The network access server monitors the RADIUS authorization and accounting functions defined by RADIUS attributes in each user-profile. For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix.
This section includes the following sections:
An Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. CiscoIOS software supports a subset of vendor-proprietary RADIUS attributes. For a list of supported vendor-proprietary RADIUS attributes, refer to the "RADIUS Attributes" appendix.
RADIUS is a security server authentication, authorization, and accounting (AAA) protocol originally developed by Livingston, Inc. RADIUS uses attribute value (AV) pairs to communicate information between the security server and the network access server. RFC2138 and RFC2139 describe the basic functionality of RADIUS and the original set of Internet Engineering Task Force (IETF)-standard AV pairs used to send AAA information. Two draft IETF standards, "RADIUS Attributes for Tunnel Protocol Support" and "RADIUS Accounting Modifications for Tunnel Protocol Support," extend the IETF-defined set of AV pairs to include attributes specific to virtual private dial-up networks (VPDNs); these attributes are used to carry the tunneling information between the RADIUS server and the tunnelinitiator.
In the past, Cisco routers and access servers have only been able to support VPDN tunnel attributes by using extensions to the Cisco vendor-specific attribute 26. This feature enables Cisco routers and access servers to support the new RADIUS IETF-standard VPDN tunnel attributes. These new RADIUS IETF-standard attributes are listed in the "RADIUS Attributes" appendix. Refer to the following three configuration examples later in this chapter:
For more information about L2F, L2TP, VPN, or VPDN, refer to the Cisco IOS Dial Services Configuration Guide: Network Services.
The following sections provide RADIUS configuration examples:
The following example shows how to configure the router to authenticate and authorize using RADIUS:
aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius
The lines in this sample RADIUS authentication and authorization configuration are defined as follows:
The following example shows a general configuration using RADIUS with the AAA command set:
radius-server host 123.45.1.2 radius-server key myRaDiUSpassWoRd username root password ALongPassword aaa authentication ppp dialins group radius local aaa authorization network default group radius local aaa accounting network default start-stop group radius aaa authentication login admins local aaa authorization exec default local line 1 16 autoselect ppp autoselect during-login login authentication admins modem ri-is-cd interface group-async 1 encaps ppp ppp authentication pap dialins
The lines in this example RADIUS authentication, authorization, and accounting configuration are defined as follows:
The following example shows a general configuration using vendor-proprietary RADIUS with the AAA command set:
radius-server host alcatraz non-standard radius-server key myRaDiUSpassWoRd radius-server configure-nas username root password ALongPassword aaa authentication ppp dialins group radius local aaa authorization network default group radius local aaa accounting network default start-stop group radius aaa authentication login admins local aaa authorization exec default local line 1 16 autoselect ppp autoselect during-login login authentication admins modem ri-is-cd interface group-async 1 encaps ppp ppp authentication pap dialins
The lines in this example RADIUS authentication, authorization, and accounting configuration are defined as follows:
The following example shows how to configure server-specific timeout, retransmit, and key values for the RADIUS server with IP address 172.31.39.46:
radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123
The following example shows how to configure two RADIUS servers with specific timeout, retransmit, and key values. In this example, the aaa new-model command enables AAA services on the router, while specific AAA commands define the AAA services. The radius-server retransmit command changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46.
! Enable AAA services on the router and define those services. aaa new-model aaa authentication login default group radius aaa authentication login console-login none aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius enable password tryit1 ! ! Change the global retransmission value for all RADIUS servers. radius-server retransmit 4 ! ! Configure per-server specific timeout, retransmission, and key values. ! Change the default auth-port and acct-port values. radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3 retransmit 3 key radkey ! ! Configure per-server specific timeout and key values. This server uses the global ! retransmission value. radius-server host 172.29.39.46 timeout 6 key rad123
The following example shows how to configure the network access server to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services---authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries will be tried in the order they are configured.)
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default group radius ! The next set of commands configures multiple host entries for the same IP address. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 2000 acct-port 2000
The following example shows how to create server group radgroup1 with three different RADIUS server members, each using the default authentication port (1645) and accounting port (1646):
aaa group server radius radgroup1 server 172.16.1.11 server 172.17.1.21 server 172.18.1.31
The following example shows how to create server group radgroup2 with three RADIUS server members, each with the same IP address but with unique authentication and accounting ports:
aaa group server radius radgroup2 server 172.16.1.1 auth-port 1000 acct-port 1001 server 172.16.1.1 auth-port 2000 acct-port 2001 server 172.16.1.1 auth-port 3000 acct-port 3001
The following example shows how to configure the network access server to recognize two different RADIUS server groups. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as fail-over backup to the first one.
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default group group1 ! The following commands define the group1 RADIUS server group and associate servers
! with it.
aaa group server radius group1 server 172.20.0.1 auth-port 1000 acct-port 1001 ! The following commands define the group2 RADIUS server group and associate servers
! with it.
aaa group server radius group2 server 172.20.0.1 auth-port 2000 acct-port 2001 ! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined server groups. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 2000 acct-port 2001 radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
The following example shows how to select RADIUS server groups based on DNIS to provide specific AAA services:
! This command enables AAA. aaa new-model ! ! The following set of commands configures the RADIUS attributes for each server ! that will be associated with one of the defined server groups. radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco1 radius-server host 172.17.0.1 auth-port 1645 acct-port 1646 key cisco2 radius-server host 172.18.0.1 auth-port 1645 acct-port 1646 key cisco3 radius-server host 172.19.0.1 auth-port 1645 acct-port 1646 key cisco4 radius-server host 172.20.0.1 auth-port 1645 acct-port 1646 key cisco5 ! The following commands define the sg1 RADIUS server group and associate servers ! with it. aaa group server radius sg1 server 172.16.0.1 server 172.17.0.1 ! The following commands define the sg2 RADIUS server group and associate a server ! with it. aaa group server radius sg2 server 172.18.0.1 ! The following commands define the sg3 RADIUS server group and associate a server ! with it. aaa group server radius sg3 server 172.19.0.1 ! The following commands define the default-group RADIUS server group and associate ! a server with it. aaa group server radius default-group server 172.20.0.1 ! ! The next set of commands configures default-group RADIUS server group parameters. aaa authentication ppp default group default-group aaa accounting network default start-stop group default-group ! ! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined
! RADIUS server groups. In this configuration, all PPP connection requests using
! DNIS 7777 are sent to the sg1 server group. The accounting records for these
! connections (specifically, start-stop records) are handled by the sg2 server group.
! Calls with a DNIS of 8888 use server group sg3 for authentication and server group
! default-group for accounting. Calls with a DNIS of 9999 use server group
! default-group for authentication and server group sg3 for accounting records
! (stop records only). All other calls with DNIS other than the ones defined use the
! server group default-group for both authentication and stop-start accounting records. aaa dnis map enable aaa dnis map 7777 authentication ppp group sg1 aaa dnis map 7777 accounting network start-stop group sg2 aaa dnis map 8888 authentication ppp group sg3 aaa dnis map 9999 accounting network stop-only group sg3
The following example shows a basic L2TP configuration for the L2TP access concentrator (LAC) for the topology shown in Figure 7. The local name is not defined, so the host name used is the local name. Because the L2TP tunnel password is not defined, the username password is used. In this example, VPDN is configured locally on the LAC and does not take advantage of the new RADIUS tunnelattributes.
! Enable AAA globally. aaa new-model ! Enable AAA authentication for PPP and list the default method to use for PPP
! authentication. aaa authentication ppp default local ! Define the username as "DJ." username DJ password 7 030C5E070A00781B ! Enable VPDN. vpdn enable ! Define VPDN group number 1. vpdn-group 1 ! Allow the LAC to respond to dialin requests using L2TP from IP address 172.21.9.13
! domain "cisco.com." request dialin l2tp ip 172.21.9.13 domain cisco.com
The following example shows how to configure the LAC if RADIUS tunnel attributes are supported. In this example, there is no local VPDN configuration on the LAC; the LAC, instead, is configured to query the remote RADIUS security server.
! Enable global AAA securities services. aaa new-model ! Enable AAA authentication for PPP and list RADIUS as the default method to use
! for PPP authentication. aaa authentication ppp default group radius local ! Enable AAA (network) authorization and list RADIUS as the default method to use for
! authorization. aaa authorization network default group radius ! Define the username as "DJ." username DJ password 7 030C5E070A00781B ! Enable VPDN. vpdn enable ! Configure the LAC to interface with the remote RADIUS security server. radius host 171.69.1.1 auth-port 1645 acct-port 1646 radius-server key cisco
The following example shows a basic L2TP configuration with corresponding comments on the L2TP network server (LNS) for the topology shown in Figure 7:
! Enable AAA globally. aaa new-model ! Enable AAA authentication for PPP and list the default method to use for PPP
! authentication. aaa authentication ppp default local ! Define the username as "partner." username partner password 7 030C5E070A00781B ! Create virtual-template 1 and assign all values for virtual access interfaces. interface Virtual-Template1 ! Borrow the IP address from interface ethernet 1. ip unnumbered Ethernet0 ! Disable multicast fast switching. no ip mroute-cache ! Use CHAP to authenticate PPP. ppp authentication chap ! Enable VPDN. vpdn enable ! Create vpdn-group number 1. vpdn-group 1 ! Accept all dialin l2tp tunnels from virtual-template 1 from remote peer DJ. accept dialin l2tp virtual-template 1 remote DJ
The following example shows a RADIUS user profile (Merit Daemon format) that includes RADIUS tunneling attributes:
example.com Password="cisco" Service-Type=Outbound Tunnel-Type = :1:L2TP Tunnel-Medium-Type = :1:IP Tunnel-Server-Endpoint = :1:10.0.0.1 Tunnel-Password = :1:"welcome" Tunnel-Assignment-ID = :1:"nas"
Posted: Tue Jul 18 12:53:14 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.