Guest

Cisco IOS Software Releases 12.2 SB

Shell-Based Authentication of VPDN Users

  • Viewing Options

  • PDF (169.0 KB)
  • Feedback
Shell-Based Authentication of VPDN Users

Table Of Contents

Shell-Based Authentication of VPDN Users

aaa dnis map authentication group


Shell-Based Authentication of VPDN Users


The Shell-Based Authentication of VPDN Users feature allows the network access server (NAS) and tunnel server to be configured to perform shell-based authentication of virtual private dialup network (VPDN) users. Shell-based authentication of VPDN users provides terminal services (shell login or exec login) for VPDN users to support rollout of wholesale dial networks. Authentication of users occurs via shell or exec login at the NAS before PPP starts and the tunnel is established.

A character-mode login dialog is provided before PPP starts, and the login dialog supports schemes such as token-card synchronization and initialization, and challenge-based password. After a user is authenticated in this way, the connection changes from character mode to PPP mode to connect the user to the desired destination. The authentication, authorization, and accounting (AAA) server that authenticates the login user can be selected based on the Dialed Number Identification Service (DNIS) or the domain-name part of the username.

VPDN profiles can be kept by a Resource Pool Manager Server (RPMS), or RADIUS-based AAA server, or on the NAS.

Configuration Information

Configuration information is included in the "Configuring AAA for VPDNs" module in the Cisco IOS VPDN Configuration Guide, Release 12.4T, at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcg/tvpdn_c/vpc2auht.htm

Command Reference

This section documents modified commands.

aaa dnis map authentication group

aaa dnis map authentication group

To map a dialed number identification service (DNIS) number to a particular authentication server group (this server group will be used for authentication, authorization, and accounting [AAA] authentication), use the aaa dnis map authentication group command in AAA-server-group configuration mode. To remove the DNIS number from the defined server group, use the no form of this command.

aaa dnis map dnis-number authentication {ppp | login} group server-group-name

no aaa dnis map dnis-number authentication {ppp | login} group server-group-name

Syntax Description

dnis-number

Number of the DNIS.

ppp

Enables PPP authentication methods.

login

Enables character-mode authentication.

server-group-name

Character string used to name a group of security servers associated in a server group.


Command Default

A DNIS number is not mapped to a server group.

Command Modes

AAA-server-group configuration

Command History

Release
Modification

12.0(7)T

This command was introduced.

12.1(3)XL1

This command was modified with the addition of the login keyword to include character-mode authentication.

12.2(2)T

Support for the login keyword was added into Cisco IOS Release 12.2(2)T and this command was implemented for the Cisco 2600 series, Cisco 3600 series, and Cisco 7200 platforms.

12.2(8)T

This command was implemented on the Cisco 806, Cisco 828, Cisco 1710, Cisco SOHO 78, Cisco 3631, Cisco 3725, Cisco 3745, and Cisco URM for IGX8400 platforms.

12.2(11)T

This command was implemented on the Cisco AS5300 and Cisco AS5800 platforms.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

Use the aaa dnis map authentication group command to assign a DNIS number to a particular AAA server group so that the server group can process authentication requests for users that are dialing in to the network using that particular DNIS. To use the aaa dnis map authentication group command, you must first enable AAA, define a AAA server group, and enable DNIS mapping.

Examples

The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 uses RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS number 7777.

aaa new-model
radius-server host 172.30.0.0 auth-port 1645 key cisco1
aaa group server radius group1
 server 172.30.0.0
 aaa dnis map enable
 aaa dnis map 7777 authentication ppp group group1
 aaa dnis map 7777 authentication login group group1

Related Commands

Command
Description

aaa dnis map accounting network group

Maps a DNIS number to a particular accounting server group.

aaa dnis map enable

Enables AAA server selection based on DNIS.

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.