Guest

Point-to-Point Protocol (PPP)

Advanced RADIUS for Dialup PPP Clients

Document ID: 10361

Updated: Jan 29, 2008

   Print

Introduction

This document provides a sample configuration for advanced RADIUS for dialup PPP clients.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document.

Network Diagram

This document uses this network setup:

advancedradius-1.gif

Configuration Notes

Before you begin, ensure that dial-in works. Once the modem can connect and authenticate locally, turn on RADIUS. Then, test authentication to verify that a user can connect and authenticate through RADIUS and turn on authorization.

Configurations

This document uses these configurations:

NAS
version 11.2
service timestamps debug datetime msec
service timestamps log uptime
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname nasX
!
aaa new-model
aaa authentication login default radius local
aaa authentication login no_radius enable
aaa authentication ppp default if-needed radius
aaa authorization network radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
!
enable password cisco
!
username cisco password letmein
ip subnet-zero
no ip domain-lookup
ip name-server 10.6.1.1
async-bootp dns-server 10.1.1.3
async-bootp nbns-server 10.1.1.24
!
interface Ethernet0/0
 ip address 10.1.1.21 255.255.255.0
 no keepalive
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Serial1/0
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Serial1/1
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Serial1/2
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Serial1/3
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Serial1/4
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Serial1/5
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Serial1/6
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Serial1/7
 physical-layer async
 no ip address
 encapsulation ppp
 async default routing
 async mode interactive
 dialer in-band
 dialer rotary-group 0
 no cdp enable
!
interface Dialer0
 ip unnumbered Ethernet0/0
 ip tcp header-compression passive
 encapsulation ppp
 peer default ip address pool Cisco3640-Group-120
 dialer in-band
 dialer-group 1
 no cdp enable
 ppp authentication pap
!
router rip
 version 2
 redistribute connected
 network 10.1.1.0
 no auto-summary
!
ip local pool Cisco3640-Group-120 10.1.1.80 10.1.1.88
no ip classless
ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol appletalk permit
!

!--- The following two lines are for the RADIUS server; the first is for the
!--- RADIUS being used for authentication but not accounting. In the second,  
!--- accounting information is sent, too, but not authenticating.
!--- If you wish accounting to go to the first, change the 0 to 1646.

!
radius-server host 10.1.1.3 auth-port 1645 acct-port 0
radius-server host 10.1.1.5 auth-port 0 acct-port 1646
radius-server key cisco
!
line con 0
 exec-timeout 0 0
 login authentication no_radius
line 17 24
 autoselect during-login
 autoselect ppp
 modem InOut
 transport input all
 stopbits 1
 speed 57600
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 0 0
end

Clients File (on server)

!--- Note: This assumes Livingston RADIUS.

# Handshake with router--router needs "radius-server key cisco":
10.1.1.21 cisco

Users File (on server)

!--- Note: This assumes Livingston RADIUS.

# User who can telnet in to configure:
admin Password = "admin"
User-Service-Type = Login-User
# ppp/chap authentication line 1 - password must be cleartext per chap spec
#
# This user gets an IP address from a pool on the router.
chapuser Password = "chapuser"
User-Service-Type = Framed-User,
Framed-Protocol = PPP
# ppp/chap authentication line 1 - password must be cleartext per chap spec
#
# This user has a statically assigned IP address
chapadd Password = "chapadd"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 10.10.10.10

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

Use this section to troubleshoot your configuration.

Troubleshooting Commands

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • debug ppp negotiation - To determine if a client is passing PPP negotiation; this is when you check for address negotiation.

  • debug ppp authentication - To determine if a client is passing authentication. If you are using a version prior to Cisco IOS® Software Release 11.2, issue the debug ppp chap command instead.

  • debug ppp error - To display protocol errors and error statistics associated with PPP connection negotiation and operation.

  • debug aaa authentication - To determine which method is being used to authenticate (which should be RADIUS, unless the RADIUS server is down) and whether the users are passing authentication.

  • debug aaa authorization - To determine which method is being used for authorization and whether the users are passing it.

  • debug aaa accounting - To watch accounting records that are sent.

  • debug radius - To watch user attributes that are exchanged with the server.

Related Information

Updated: Jan 29, 2008
Document ID: 10361