Overview: 

1. Setup Basic, Global AAA

Here we are setting up the most basic aaa config. We are enabling AAA, and we are defining how logins should be handled. We have created two groups (lines 8-9) but we also setup a default auth for all logins that have not been assigned to one of those groups. (Which at this point is all means of logging in.)

1. - Enabling AAA

01 ! -- standard router local password 02 username chuck password letmein 03 enable secret 5 asdlfkjsad;kljf 04 ! 05 ! -- global aaa config 06 aaa new-model 07 aaa authentication login default line 08 aaa authentication login local_group local 09 aaa authentication login radius_group group radius 10 ! 11 ! -- line command (vty) 12 line vty 0 4 13 password cisco 14 ! 15 ! -- specify the radius server 16 radius-server host 172.22.53.201

A quick highlight on some of the commands listed above include:

• Line 6, turns on aaa
• Line 7, allows interfaces not associated with aaa groups to use their default line logins. Thus with this example, only the vty line is enabled (you would not be able to connect via the console port) and since the vty line is not associated to a group, then it would use it's line password Line 13.
• Line 8, creates a group called "local_group". All future connections that refer to the group "local_group" will be authorized by the local password (Line 2).
• Line 9, creates a group called "radius_group". All future connections that refer to it, will be authenticated to one of the defined radius servers. We only have one radius server defined, and that's on line 16.

2. Enabling AAA on an Interface

For this example, we will setup the router so that the console port uses the radius server for login authentication. The commands from the previous config's in "Enabling AAA" are assumed to already be entered in the router.

2. - setting up an interface with aaa
17 ! -- console port login 18 line con 0 19 password dudeletmein 20 login authentication radius_group 21 transport input none

Here we have entered the normal config's to enable the console port, but we have also added the "login authentication {group}" command (line 20).

Normally with the config's above (minus line 20) when you connected to the console, the router would prompt you for a password, and you would enter "dudeletmein". But since we added the aaa group to this interface, the default line password (line 19) is now ignored, and instead the radius server is used.

With these two combined config's we have two ways to access the router. The first is to telnet to the router (vty 0 4). The vty server does not have a specified aaa group associated with it, so as per line 7 it will use its default line password line 13. The other way to connect to the router is through the console port. Here we have defined an aaa group, so all connections will not use its default line password (line 19), but instead use the radius server.

For debugging aaa authentication, use the command debug aaa authentication. If you think that you might be having some problems connecting to your radius server, see here for some different debug outputs.

3. Adding ISDN Dial In Access

The easiest way to enable dialin to a router is to hang a modem off the AUX port on the router. In the configuration explained below, I have set things up a little different. Instead of POTS lines going into a modem, I have a series of ISDN lines that connect to a blade in my router. This configuration is handy because the isdn allows caller id, and each isdn line is two POTS lines. So with 5 ISDN lines, I can support 10 concurrent calls. To pull this off, I have an ISDN BRI Network Module in the router that the ISDN lines tie into. And rather then having external modems, that wouldn't work with isdn anyway, I have an internal Digital Modem Network Module in the router as well.

To get an idea on how this all works together, see the diagram below.

The ISDN lines all tie into the ISDN card. It's data is then sent to the modems to be decoded. (The modem card has many modems in it. To clean up the config's in the router, you can group all the modems together into one command; "int Group-Async1".) After the modems decode the calls, the line interface then handles getting the modem call onto the network (or giving it a router cli).

So below we are going to configure; the ISDN blade under the "interface BRI3/0" heading (line 23), the modem blade under the "interface Group-Async1" heading (line 32), and the routers ability to take the modem's output and give it a cli via the "line 33 50" heading (line 38).

3.1 - ISDN Dial In

22 ! -- Configure the BRI 23 interface BRI3/0 24 no ip address 25 isdn switch-type basic-ni 26 isdn spid1 30355500001111 5303227 27 isdn spid2 30355500011111 5303236 28 isdn caller 6505551212 29 isdn incoming-voice modem 30 ! 31 ! -- Configure Group-Async 32 interface Group-Async1 33 ip unnumbered FastEthernet0/0 34 no peer default ip address 35 group-range 33 50 36 ! 37 ! -- Configure Line Ports 38 line 33 50 39 password wannaletmein 40 login authentication local_group 41 modem Dialin 42 transport output none

A quick highlight on some of the commands listed above include:

• 25 Set the isdn type. There are a couple of different isdn switch types, but here in the us, it's mostly only the "basic-ni".
• 26-27 Define the isdn phone number. Each isdn line has two spids, the spid is normally the phone number plus 4 digits. So for spid1, it's phone number would be 303-555-0000. All this information is given to you by the telco, when you get your ISDN line.
• 28 Caller ID allow/blocking. With this command, only the number listed, 650-555-1212, is allowed to make connections. All other call sources will get a busy signal. You can have as many of these commands in a row as neccessary.

• 34 Don't give modem connection and IP. Here we are only dialing in to get cli access. So we don't need to get our own ip address (as in a ppp connection)
• 35 Group the modems. This command takes the 17 modems and combines them into one entity in the config. This makes it much easier to configure, because instead of making config statements to each modem, we can make one statement to all the modems.

• 40 Authenticate logins on interface to aaa group. This sets the interface to use the specified aaa group for deciding how to authenticate connections.
• 41 Allow modem connections. This allows the modems to connect the line interfaces. This is needed so that something is "connected" to the other side of the modem. (isdn on one side, line interfaces on the other).

4. Enabling Radius Authenticated ISDN Connections

It's very straight forward. (same as any other interface). Just add the "login authentication" command in the line command.

Repeating the above config with the addition of the "login authentication" command:

3.2 - ISDN Dial In with Radius

22 ! -- Configure the BRI 23 interface BRI3/0 24 no ip address 25 isdn switch-type basic-ni 26 isdn spid1 30355500001111 5303227 27 isdn spid2 30355500011111 5303236 28 isdn caller 6505551212 29 isdn incoming-voice modem 30 ! 31 ! -- Configure Group-Async 32 interface Group-Async1 33 ip unnumbered FastEthernet0/0 34 no peer default ip address 35 group-range 33 50 36 ! 37 ! -- Configure Line Ports 38 line 33 50 39 password wannaletmein 40 login authentication local_group 41 modem Dialin 42 login authentication radius_group 43 transport output none

Same logic as in the above section Enabling AAA on an interface.

5. Enabling ISDN PPP Connections

In this section we are going to enable PPP on the ISDN interfaces, but to keep things simple, we are going to only look at ppp, and not aaa. So the config added in the config "3.2 - ISDN Dial In with Radius" will be removed.

So from the previous config "3.1 - ISDN Dial In", we are adding (in bold) all the configs to make ppp work on the isdn interface.

3.3 - ISDN with PPP

22 ! -- Configure the BRI 23 interface BRI3/0 24 ip unnumbered FastEthernet0/0 25 encapsulation ppp 26 isdn switch-type basic-ni 27 isdn spid1 30355500001111 5303227 28 isdn spid2 30355500011111 5303236 29 isdn caller 6505551212 30 isdn incoming-voice modem 31 peer default ip address pool dialin_ip_pool 32 ! 33 ! -- Configure Group-Async 34 interface Group-Async1 35 ip unnumbered FastEthernet0/0 36 encapsulation ppp 37 async mode interactive 38 peer default ip address pool dialin_ip_Pool 39 group-range 33 50 40 ! 41 ! -- Configure Line Ports 42 line 33 50 43 password wannaletmein 44 autoselect during-login 45 autoselect ppp 46 modem Dialin 47 transport input all 48 transport output none 49 ! 50 ! -- Create an IP Pool 51 ip local pool dialin_ip_pool 10.1.1.100 10.1.1.110

Some comments on the configs above:

• 24 Enable IP processing with no interface ip Allow IP processing, but do not assign an ip address to the interface itself. Instead ppp connections will be assigned their own ip's and traffic will route through the interface.
• 25 Enable PPP on interface.
• 31 Create list of IP's for PPP users. Creates a list of IP's that will be given to ppp connections.

• 37 Allow SLIP and PPP on interface. Allows EXEC prompt to handle PPP and SLIP commands.
• 38 Give PPP and SLIP connections IPs from a group. All SLIP and PPP connections that originate from this line will get IPs from the range listed from the specified pool.

• 44 Send prompt as soon as connection is made. This helps SLIP and PPP, by giving a prompt as soon as the connection is made, rather then waiting for a carage return to be sent.
• 45 Start Line with PPP. Prevents the user from having to specify to start PPP. The router just starts it for them.
• 47 Allow all protocols. Allow all protocol to be passed through ppp. (allow telnet, ssh, ftp, www, etc)

• 51 Create IP pool. Creates the ip pool to be used for the PPP sessions. The pool range is within 10.1.1.(100-110).

6. Enabling PPP AAA Authentication: Globally and per Interface

Putting it all together, this is what you config would be like to get AAA working on both console dialin and PPP access.

4 - ISDN with PPP and AAA

01 ! -- standard router local password 02 username chuck password letmein 03 enable secret 5 asdlfkjsad;kljf 04 ! 05 ! -- global aaa config 06 aaa new-model 07 aaa authentication login default line 08 aaa authentication login local_group local 09 aaa authentication login radius_group group radius 10 ! 11 ! -- console port login 12 line con 0 13 password dudeletmein 14 login authentication radius_group 15 transport input none 16 ! 17 ! -- line command (vty) 18 line vty 0 4 19 password cisco 20 ! 21 ! -- specify the radius server 22 radius-server host 172.22.53.201 23 ! 24 ! -- Configure the BRI 25 interface BRI3/0 26 ip unnumbered FastEthernet0/0 27 encapsulation ppp 28 isdn switch-type basic-ni 29 isdn spid1 30355500001111 5303227 30 isdn spid2 30355500011111 5303236 31 isdn caller 6505551212 32 isdn incoming-voice modem 33 peer default ip address pool dialin_ip_pool 34 ! 35 ! -- Configure Group-Async 36 interface Group-Async1 37 ip unnumbered FastEthernet0/0 38 encapsulation ppp 39 async mode interactive 40 peer default ip address pool dialin_ip_Pool 41 group-range 33 50 42 ! 43 ! -- Configure Line Ports 44 line 33 50 45 password wannaletmein 46 autoselect during-login 47 autoselect ppp 48 login authentication radius_group 49 modem Dialin 50 transport input all 51 transport output none 52 ! 53 ! -- Create an IP Pool 54 ip local pool dialin_ip_pool 10.1.1.100 10.1.1.110

Appendix A - Only allowing ppp, not console

If you wanted to prevent console access, and only allow ppp access these configs would do that. Also, the chap and pap enabled connections would encrypt the passwords as they traveled between then computer and the access server. We don't worry about this in the above docs because we are dealing with a 2-factor password scheme, and thus the password is constantly changing and is useless after it has been used.

5 - PPP without console access
101 ! -- Config AAA 102 aaa authentication ppp radius_ppp_group group radius 103 ! 104 ! -- Configure BRI 105 interface BRI3/0 106 ppp authentication chap ms-chap radius_ppp_group 107 ! 108 ! -- Configure Group-Async 109 interface Group-Async1 110 ppp authentication chap ms-chap radius_ppp_group

Note that these configs would be added to the configs from "4 - ISDN with PPP and AAA".