|
|
This document describes the AAA DNIS Map for Authorization feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so on.
This document includes the following sections:
The AAA DNIS Map for Authorization feature allows you to select authentication, authorization, and accounting (AAA) server groups---to which authorization requests will be sent---using Dialed Number Identification Service (DNIS). That is, you assign a DNIS number to a particular AAA server group so that the server group can process authorization requests for users dialing into the network using the assigned DNIS number.
This feature is an enhancement to Selecting AAA Server Groups Based on DNIS, Cisco IOS Release 12.0(7)T, which allows you to send authentication and accounting requests when selecting a AAA server group using a DNIS number.
With the introduction of this feature, authorization requests are available so that you can specify the same server group for AAA services or a separate server group for each AAA service. Thus, you can configure authorization on different physical devices and provide failover backup support.
AAA is extremely flexible; each of the three definitions of AAA services can be configured on the same network access server simultaneously. Because all three definitions of AAA services can be configured simultaneously, Cisco has established an order of precedence to determine which server or groups of servers provide AAA services. The order of precedence is as follows:
The AAA DNIS Map for Authorization feature provides the following benefits:
The following features and technologies are related to AAA DNIS Map for Authorization:
The following documents provide information related to AAA DNIS Map for Authorization:
AAA DNIS Map for Authorization runs on all platforms that support Cisco IOS Release 12.1
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBS are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Before configuring your network access server to select a particular AAA server group based on the DNIS number, you must complete the following tasks:
For more information on completing these tasks, please refer to Selecting AAA Server Groups Based on DNIS, Cisco IOS Release 12.0(7)T.
See the following sections for configuration tasks for the AAA DNIS Map for Authorization feature. Each task in the list is identified as optional or required.
To enable the DNIS map feature, use the following command in global configuration mode:
| Command | Purpose |
|---|---|
Router(config)#aaa dnis map enable | Enables DNIS mapping. |
To configure the DNIS for authorization, use the following command in global configuration mode:
| Command | Purpose |
|---|---|
Router(config)#aaa dnis map dnis-numberauthorization network group server-group-name | Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authorization. |
Use the debug aaa authorization command to show the AAA server groups configured to provide authorization services.
This section provides the following configuration example: DNIS Map for Authorization Example (Required).
The following example enables DNIS mapping and maps DNIS numbers to the defined RADIUS server groups. All connection requests using DNIS 7777 are sent to the sg1 server group, and all connection requests using DNIS 8888 are sent to the sg2 server group.
aaa dnis map enable aaa dnis map 7777 authentication ppp group sg1 aaa dnis map 8888 authentication ppp group sg2
To map a DNIS number to a particular AAA server group (the server group that will be used for AAA authorization), use the aaa dnis map authorization network group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number authorization network group server-group-name
Syntax Description
dnis-number Number of the DNIS. server-group-name Character string used to name a group of security server functioning within a server group.
Defaults
Disabled
Command Modes
Global configuration
Command History
12.1(1)T This command was introduced.
Release
Modification
Usage Guidelines
This command lets you assign a DNIS number to a particular AAA server group so that the server group can process authorization requests for users dialing in to the network using that particular DNIS number. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authorization requests for users dialing in with DNIS 7777:
aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authorization network group group1
Related Commands
aaa new-model Enables the AAA access control model. aaa dnis map accounting network group Maps a DNIS number to a AAA server group used for accounting services. aaa dnis map authentication ppp group Maps a DNIS number to a AAA server used for authentication services. aaa dnis map enable Enables AAA server selection based on DNIS number. aaa group server Groups different server hosts into distinct lists and methods. radius-server host Specifies and defines the IP address of the RADIUS server host.
Command
Description
AAA---authentication, authorization, and accounting. Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
authentication, authorization, and accounting---See AAA.
Dialed Number Identification Service---See DNIS.
DNIS---Dialed Number Identification Service. A service that provides a dialed number.
Posted: Mon May 15 15:52:54 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.