Overview: In this document we attempt to setup a router with an ISDN modem, so that it can receive console and ppp connections. We will also see how to have these connections authorized by the local radius server. While doing this we will point out the basic configurations for AAA and how it works with a radius server. We will look at how to configure an ISDN and modem line cards to allow dial in access to a router. And we will look at how to enable ppp on dialin connections. Note that all the commands are hyperlinked to their specific definitions on cisco's webpage. Some of these links are to locations that can only be accessed via a cisco accounts. (sorry) 1. Setup Basic, Global AAA
Here we are setting up the most basic aaa config. We are enabling AAA,
and we are defining how logins should be handled. We have created two
groups (lines 8-9) but we also setup a default auth for all logins that
have not been assigned to one of those groups. (Which at this point is
all means of logging in.)
A quick highlight on some of the commands listed above include:
- Line 6, turns on aaa
- Line 7, allows interfaces not
associated with aaa groups to use their default line logins. Thus with
this example, only the vty line is enabled (you would not be able to
connect via the console port) and since the vty line is not associated
to a group, then it would use it's line password Line 13.
- Line 8, creates a group called
"local_group". All future connections that refer to the group
"local_group" will be authorized by the local password (Line 2).
- Line 9, creates a group called
"radius_group". All future connections that refer to it, will be
authenticated to one of the defined radius servers. We only have one
radius server defined, and that's on line 16.
2. Enabling AAA on an Interface
For this example, we will setup the router so that the console port uses
the radius server for login authentication. The commands from the
previous config's in "Enabling AAA" are assumed to already be entered in
the router.
Here we have entered the normal config's to enable the console port, but we have also added the "login authentication {group}" command (line 20).
Normally with the config's above (minus line 20)
when you connected to the console, the router would prompt you for a
password, and you would enter "dudeletmein". But since we added the aaa
group to this interface, the default line password (line 19) is now ignored, and instead the radius server is used.
With these two combined config's we have two ways to access the router.
The first is to telnet to the router (vty 0 4). The vty server does
not have a specified aaa group associated with it, so as per line 7 it will use its default line password line 13.
The other way to connect to the router is through the console port.
Here we have defined an aaa group, so all connections will not use its
default line password (line 19), but instead use the radius server.
For debugging aaa authentication, use the command debug aaa authentication. If you think that you might be having some problems connecting to your radius server, see here for some different debug outputs.
3. Adding ISDN Dial In Access
The easiest way to enable dialin to a router is to hang a modem off the
AUX port on the router. In the configuration explained below, I have
set things up a little different. Instead of POTS lines going into a
modem, I have a series of ISDN lines that connect to a blade in my
router. This configuration is handy because the isdn allows caller id,
and each isdn line is two POTS lines. So with 5 ISDN lines, I can
support 10 concurrent calls. To pull this off, I have an ISDN BRI Network Module
in the router that the ISDN lines tie into. And rather then having
external modems, that wouldn't work with isdn anyway, I have an internal
Digital Modem Network Module in the router as well.
To get an idea on how this all works together, see the diagram below.
The ISDN lines all tie into the ISDN card. It's data is then sent to
the modems to be decoded. (The modem card has many modems in it. To
clean up the config's in the router, you can group all the modems
together into one command; "int Group-Async1".) After the modems decode
the calls, the line interface then handles getting the modem call onto
the network (or giving it a router cli).
So below we are going to configure; the ISDN blade under the "interface BRI3/0" heading (line 23), the modem blade under the "interface Group-Async1" heading (line 32), and the routers ability to take the modem's output and give it a cli via the "line 33 50" heading (line 38).
A quick highlight on some of the commands listed above include:
- 25 Set the isdn type. There are a couple of different isdn switch types, but here in the us, it's mostly only the "basic-ni".
- 26-27 Define the isdn phone number.
Each isdn line has two spids, the spid is normally the phone number
plus 4 digits. So for spid1, it's phone number would be 303-555-0000.
All this information is given to you by the telco, when you get your
ISDN line.
- 28 Caller ID allow/blocking.
With this command, only the number listed, 650-555-1212, is allowed to
make connections. All other call sources will get a busy signal. You
can have as many of these commands in a row as neccessary.
- 34 Don't give modem connection and IP. Here we are only dialing in to get cli access. So we don't need to get our own ip address (as in a ppp connection)
- 35 Group the modems.
This command takes the 17 modems and combines them into one entity in
the config. This makes it much easier to configure, because instead of
making config statements to each modem, we can make one statement to all
the modems.
- 40 Authenticate logins on interface to aaa group. This sets the interface to use the specified aaa group for deciding how to authenticate connections.
- 41 Allow modem connections.
This allows the modems to connect the line interfaces. This is needed
so that something is "connected" to the other side of the modem. (isdn
on one side, line interfaces on the other).
4. Enabling Radius Authenticated ISDN Connections
It's very straight forward. (same as any other interface). Just add the "login authentication" command in the line command.
Repeating the above config with the addition of the "login authentication" command:
Same logic as in the above section Enabling AAA on an interface.
5. Enabling ISDN PPP Connections
In this section we are going to enable PPP on the ISDN interfaces, but
to keep things simple, we are going to only look at ppp, and not aaa.
So the config added in the config "3.2 - ISDN Dial In with Radius" will
be removed.
So from the previous config "3.1 - ISDN Dial In", we are adding (in
bold) all the configs to make ppp work on the isdn interface.
Some comments on the configs above:
- 24 Enable IP processing with no interface ip
Allow IP processing, but do not assign an ip address to the interface
itself. Instead ppp connections will be assigned their own ip's and
traffic will route through the interface.
- 25 Enable PPP on interface.
- 31 Create list of IP's for PPP users. Creates a list of IP's that will be given to ppp connections.
- 37 Allow SLIP and PPP on interface. Allows EXEC prompt to handle PPP and SLIP commands.
- 38 Give PPP and SLIP connections IPs from a group. All SLIP and PPP connections that originate from this line will get IPs from the range listed from the specified pool.
- 44 Send prompt as soon as connection is made.
This helps SLIP and PPP, by giving a prompt as soon as the connection
is made, rather then waiting for a carage return to be sent.
- 45 Start Line with PPP. Prevents the user from having to specify to start PPP. The router just starts it for them.
- 47 Allow all protocols. Allow all protocol to be passed through ppp. (allow telnet, ssh, ftp, www, etc)
- 51 Create IP pool. Creates the ip pool to be used for the PPP sessions. The pool range is within 10.1.1.(100-110).
6. Enabling PPP AAA Authentication: Globally and per Interface
Putting it all together, this is what you config would be like to get AAA working on both console dialin and PPP access.
Appendix A - Only allowing ppp, not console
If you wanted to prevent console access, and only allow ppp access these
configs would do that. Also, the chap and pap enabled connections
would encrypt the passwords as they traveled between then computer and
the access server. We don't worry about this in the above docs because
we are dealing with a 2-factor password scheme, and thus the password is
constantly changing and is useless after it has been used.
Note that these configs would be added to the configs from "4 - ISDN with PPP and AAA".
|