Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.0 T

Selecting AAA Server Groups Based on DNIS

Downloads

Table Of Contents

Selecting AAA Server Groups
Based on DNIS

Feature Overview

Order of Precedence

Benefits

Restrictions

Related Features and Technologies

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Enabling AAA

Defining the Security Server Parameters for Each Server

Defining the AAA Server Group by Name

Associating the AAA Server Group with a DNIS

Verifying Selecting AAA Server Groups Based on DNIS

Configuration Examples

Command Reference

aaa dnis map accounting network group

Syntax Description

Defaults

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

aaa dnis map authentication ppp group

Syntax Description

Defaults

Command Modes

Command History

Usage Guidelines

Examples

Related Commands


Selecting AAA Server Groups
Based on DNIS

This feature module describes how to configure a Cisco router or access server to use the Dialed Number Information Service (DNIS) to select a particular authentication, authorization, and accounting (AAA) server group.

This document includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuration Examples

Command Reference

Feature Overview

In past Cisco IOS releases, authentication and accounting services (otherwise referred to as AAA services) have been implemented in one of the following methods:

Globally—meaning that AAA services were defined using global configuration access list commands and applied in general to all interfaces on a specific network access server

Per Interface—meaning that AAA services were defined using interface configuration commands and applied specifically to the interface being configured on a specific network access server

Using the AAA DNIS Map feature as described in the Cisco IOS Release 12.0(2)T Selecting AAA Servers Using DNIS Numbers feature module—meaning that you could use DNIS to specify one AAA server to supply AAA services

With Cisco IOS Release 12.0(6)T, you can now select a AAA server group (to which authentication and accounting requests will be sent) using DNIS. Using this new Selecting AAA Server Groups Based on DNIS feature, you can specify the same server group for AAA services or a separate server group for each AAA service. You can now configure authentication and accounting on different physical devices and provide fail-over backup support.

This feature obsoletes the previous Cisco IOS Release 12.0(2)T AAA DNIS Map feature.

Order of Precedence

AAA is extremely flexible; each of the three methods described for defining AAA services can be configured on the same network access server simultaneously. Because each of these AAA configuration methods can be configured simultaneously, Cisco has established an order of precedence to determine which server or groups of servers provide AAA services. The order of precedence is as follows:

Per DNIS—If you have configured the network access server to use DNIS to identify/determine which server group provides AAA services, then this method takes precedence over any additional AAA selection method configured.

Per interface—If you have configured the network access server per interface to use access lists to determine how a server provides AAA services, this method will take precedence over any global configuration AAA access lists you may have configured.

Globally—If you have configured the network access server by using global AAA access lists to determine how the security server provides AAA services, this method will have the least precedence.

Benefits

The Selecting AAA Server Groups Based on DNIS feature provides the following benefits:

Direct authentication and accounting requests to different AAA servers or AAA server groups

Fail-over support

Restrictions

This feature obsoletes the previous AAA DNIS Map feature as described in the Cisco IOS Release 12.0(2)T Selecting AAA Servers Using DNIS Numbers feature module.

Related Features and Technologies

Cisco IOS Release 12.0(2)T Selecting AAA Servers Using DNIS Numbers feature module

Cisco IOS Release 12.0(5)T AAA Server Groups feature module

Related Documents

Security Configuration Guide; Cisco IOS Release 12.0

Security Command Reference; Cisco IOS Release 12.0

Supported Platforms

This feature is supported on all platforms supporting AAA.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBS are supported by this feature.

For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

No new or modified RFCs are supported by this feature.

Prerequisites

Before you can configure your network access server to select a AAA server group based on the DNIS, you need to configure the remote security servers associated with each AAA server group. AAA recognizes two different security server protocols for AAA server groups: RADIUS and TACACS+. For more information about configuring your network access server to support either RADIUS or TACACS+, refer to the Cisco IOS Release 12.0 Security Configuration Guide.

Configuration Tasks

See the following sections for configuration tasks for the Selecting AAA Server Groups Based on DNIS feature. Each task in the list indicates if the task is optional or required.

Enabling AAA (Required)

Defining the AAA Server Group by Name (Required)

Defining the Security Server Parameters for Each Server (Required)

Associating the AAA Server Group with a DNIS (Required)

Enabling AAA

To configure your network access server to select a particular AAA server group based on the DNIS of the group, enable AAA using the following command:

Command
Purpose 
Router(config)# aaa new-model

Enables AAA security services globally.


For more information about enabling AAA, refer to the Cisco IOS Release 12.0 Security Configuration Guide.

Defining the Security Server Parameters for Each Server

After you have enabled AAA, define the parameters associated with each security server that is associated with that AAA server group by using the following commands:

Step
Command
Purpose

1 

Router(config)# radius-server host ip-address 
[auth-port port-number] [acct-port port-number]

or

Router(config)# tacacs-server host ip-address 
[auth-port port-number] [acct-port port-number]

Specifies the security server protocol and defines security server host IP address. AAA recognizes two different protocols for AAA server groups: RADIUS and TACACS+.

Use the auth-port port-number option to configure a specific port on this AAA server to be used solely for authentication. Use the acct-port port-number option to configure a specific port on this AAA server to be used solely for accounting.

Repeat this step for every AAA server in the AAA server group.

2 

Router(config)# radius-server key key

or

Router(config)# tacacs-server key key

Defines security server secret shared key.


For more information about configuring RADIUS or TACACS+ on the network access server, refer to the Cisco IOS Release 12.0 Security Configuration Guide.

Defining the AAA Server Group by Name

The next step in configuring your network access server to select AAA server groups by DNIS is to define the name of the security server groups and then associate the appropriate security servers to the group using the following commands:

Step
Command
Purpose

1 

Router(config)# aaa group server {radius | tacacs+} 
group-name

Specifies the security protocol associated with the AAA server group and defines the name of the AAA server group.

2 

Router(config-sg-radius)# server ip-address



or




Router(config-sg-tacacs+)# server ip-address

Associates a particular RADIUS server with the defined server group. Each security server is identified by its IP address. Repeat this step for each RADIUS server in the AAA server group.

Associates a particular TACACS+ server with the defined server group. Each security server is identified by its IP address. Repeat this step for each TACACS+ server in the AAA server group.


For more information about configuring AAA security server groups, refer to the Cisco IOS Release 12.0(5)T AAA Server Groups feature module.

Associating the AAA Server Group with a DNIS

The final step in configuring the network access server to select a particular AAA server group based on the DNIS of the server group is to configure DNIS mapping. In essence, you need to enable DNIS mapping, then associate the previously defined AAA server group—and whether the devices in it are processing authentication or accounting requests—with a DNIS using the following commands:

Step
Command
Purpose

1 

Router(config)# aaa dnis map enable

Enables DNIS mapping.

2 

Router(config)# aaa dnis map dnis-number 
authentication ppp group server-group-name

Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authentication.

3 

Router(config)# aaa dnis map dnis-number accounting 
network [none | start-stop | stop-only | wait-start] 
group server-group-name

Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for accounting.


Verifying Selecting AAA Server Groups Based on DNIS

Use the debug aaa authentication command to show the AAA server groups configured to provide authentication services.

Use the debug aaa accounting command to show the AAA server groups configured to provide accounting services.

Configuration Examples

The following example selects RADIUS server groups based on DNIS to provide specific AAA services: 

! This command enables AAA.

aaa new-model

!

! The following set of commands configures the RADIUS attributes for each server 
! that will be associated with one of the defined server groups.

radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco1

radius-server host 172.17.0.1 auth-port 1645 acct-port 1646 key cisco2

radius-server host 172.18.0.1 auth-port 1645 acct-port 1646 key cisco3 

radius-server host 172.19.0.1 auth-port 1645 acct-port 1646 key cisco4 

radius-server host 172.20.0.1 auth-port 1645 acct-port 1646 key cisco5


! The following commands define the sg1 RADIUS server group and associates servers  
! with it.

aaa group server radius sg1

server 172.16.0.1

server 172.17.0.1

! The following commands define the sg2 RADIUS server group and associates a server  
! with it.

aaa group server radius sg2

server 172.18.0.1

! The following commands define the sg3 RADIUS server group and associates a server  
! with it.

aaa group server radius sg3

server 172.19.0.1

! The following commands define the default-group RADIUS server group and associates 
! a server with it.

aaa group server radius default-group

server 172.20.0.1

!

! The next set of commands configures default-group RADIUS server group parameters.

aaa authentication ppp default group default-group

aaa accounting network default start-stop group default-group

!

! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined 
! RADIUS server groups. In this configuration, all PPP connection requests using DNIS 
! 7777are sent to the sg1 server group. The accounting records for these connections 
! (specifically, start-stop records) are handled by the sg2 server group. Calls with a 
! DNIS of 8888 use server group sg3 for authentication and server group default-group 
! for accounting. Calls with a DNIS of 9999 use server group default-group for 
! authentication and server group sg3 for accounting records (stop 
! records only.) All other calls with DNIS other than the ones defined use the server 
! group default-group for both authentication and stop-start accounting records.

aaa dnis map enable

aaa dnis map 7777 authentication ppp group sg1

aaa dnis map 7777 accounting network start-stop group sg2

aaa dnis map 8888 authentication ppp group sg3

aaa dnis map 9999 accounting network stop-only group sg3

Command Reference

This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications and Cisco IOS Release 12.0 T feature modules.

New Commands

aaa dnis map accounting network group

aaa dnis map authentication ppp group

aaa dnis map accounting network group

To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (this server group will be used for AAA accounting), use the aaa dnis map accounting network group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command.

aaa dnis map dnis-number accounting network [none | start-stop | stop-only | wait-start] group server-group-name

no aaa dnis map dnis-number accounting network [none | start-stop | stop-only | wait-start] group server-group-name

Syntax Description

dnis-number

Number of the DNIS.

none

(Optional) Indicates that the defined security server group will not send accounting notices.

start-stop

(Optional) Indicates that the defined security server group will send a start-accounting notice at the beginning of a process and a stop-accounting notice at the end of a process. The start-accounting record is sent in the background. (The requested user process begins regardless of whether the start accounting notice was received by the accounting server.)

stop-only

(Optional) Indicates that the defined security server group will send a stop-accounting notice at the end of the requested user process.

wait-start

(Optional) Indicates that the security server group will send both a start and a stop-accounting notice to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start-accounting notice is acknowledged. A stop-accounting notice is also sent.

server-group-name

Character string used to name a group of security servers associated in a server group.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

12.0(7)T

This command was introduced.


Usage Guidelines

This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.

Examples

The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777. 

Router(config)# aaa new-model

Router(config)# radius-server host 172.30.0.0 acct-port 1646 key cisco1

Router(config)# aaa group server radius group1

Router(config-sg-radius)# server 172.30.0.0

Router(config)# aaa dnis map enable

Router(config)# aaa dnis map 7777 accounting network group group1

Related Commands

Command
Description

aaa new-model

Enables the AAA access control model.

aaa dnis map authentication ppp group

Maps a DNIS number to a AAA server group used for authentication services.

aaa dnis map enable

Enables AAA server selection based on DNIS number.

aaa group server

Groups different server hosts into distinct lists and methods.

radius-server host

Specifies and defines the IP address of the RADIUS server host.


aaa dnis map authentication ppp group

To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (this server group will be used for AAA authentication), use the aaa dnis map authentication ppp group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command.

aaa dnis map dnis-number authentication ppp group server-group-name

no aaa dnis map dnis-number authentication ppp group server-group-name

Syntax Description

dnis-number

Number of the DNIS.

server-group-name

Character string used to name a group of security servers associated in a server group.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

12.0(6)T

This command was introduced.


Usage Guidelines

This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process authentication requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.

Examples

The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS 7777. 

Router(config)# aaa new-model

Router(config)# radius-server host 172.30.0.0 auth-port 1645 key cisco1

Router(config)# aaa group server radius group1

Router(config-sg-radius)# server 172.30.0.0

Router(config)# aaa dnis map enable

Router(config)# aaa dnis map 7777 authentication ppp group group1

Related Commands

Command
Description

aaa new-model

Enables the AAA access control model.

aaa dnis map accounting network group

Maps a DNIS number to a AAA server group used for accounting services.

aaa dnis map enable

Enables AAA server selection based on DNIS number.

aaa group server

Groups different server hosts into distinct lists and methods.

radius-server host

Specifies and defines the IP address of the RADIUS server host.