Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.2 T

Shell-Based Authentication of VPDN Users

Downloads

Table Of Contents

Shell-Based Authentication of VPDN Users

Feature Overview

Benefits

Restrictions

Order of Precedence

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring the Network Access Server to Support Exec-VPDN

Configuring the NAS for AAA

Configuring PPP to Skip User Authentication

Configuring DNIS for Locating a AAA Server

Enabling VPDN

Configuring the Home Gateway Server

Verifying Shell-Based Authentication

NAS Configuration

Configuration for a Cisco 3640 HGW

NAS Configuration

HGW Configuration

Troubleshooting Tips

Command Reference

aaa dnis map authentication group

Glossary


Shell-Based Authentication of VPDN Users

Feature History

Release
Description

12.1(3)XL1

This feature was introduced on the Cisco AS5800 universal access server.

12.2(2)T

This feature was integrated into Cisco IOS Release 12.2(2)T and support was added for the Cisco 2600 series, Cisco 3600 series, and Cisco 7200 platforms.

12.2(8)T

Support was added for the Cisco 806, Cisco 828, Cisco 1710, Cisco SOHO 78, Cisco 3631, Cisco 3725, Cisco 3745, and Cisco URM for IGX8400 platforms.

12.2(11)T

Support was added for the Cisco AS5300 and Cisco AS5800 platforms.


This document describes the Shell-Based Authentication of VPDN Users feature and includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Command Reference

Glossary

Feature Overview

The Shell-Based Authentication of VPDN Users feature provides terminal services for VPDN users to support rollout of wholesale dial networks. Terminal services (shell login or exec login) on the network access server (NAS) provide the following capabilities:

Enabling a dial-in user session to be terminated at the access server.

Authenticating the user with a character-mode login dialog such as username/password or username/challenge/password, Secure ID, Safeword, and so on.

Initiating PPP and tunneling it to a home gateway (HGW).

With the terminal services, user authentication methods other than PAP and CHAP can be applied to PPP users. With the Shell-Based Authentication of VPDN Users feature, PPP authentication data is preconfigured or entered before PPP starts. Authentication is completed without any further input from the user.

Terminal services provided by Exec-VPDN add the following functionality:

An enhancement to an existing AAA configuration command which enables a user to be authenticated at a remote network determined by the DNIS number. This enhancement supports login in addition to ppp: 

aaa dnis map dnis-number authentication { ppp | login } group name

If a proxy AAA server is used by the NAS to authenticate an exec login, this command is not needed. Shell-based authentication then uses the DNIS or domain name to decide which AAA server should authenticate the user.

The new feature supports L2F and L2TP without PPP user authentication.

Figure 1 Typical Network Setup for Shell-Based Exec-VPDN

Benefits

With this feature, clients dial in, are authenticated in character mode, start PPP, and are tunneled based on either DNIS or domain—this feature allows dial-up users to be authenticated in a character-mode connection and then be switched to PPP and tunneled to a remote home gateway.

A character-mode login dialog is provided before PPP starts, and the login dialog supports schemes such as token-card synchronization and initialization, challenge-based password, and so on. After a user is authenticated in this way, the connection changes from character mode to PPP mode to connect the user to the desired destination. The AAA server that authenticates the login user can be selected based on the dialed DNIS or the domain-name part of the user name.

VPDN profiles can be kept by a Resource Pool Manager Server (RPMS), RADIUS-based AAA server, or on the NAS.

Restrictions

Per-user virtual profile on a HGW is not supported.

Call back is not supported.

Only those login schemes supported by the NAS exec-login features are supported.

If VPDN fails to get established (for example, RPMS denies the session), the dial-up call is terminated. An exec-PPP session is not terminated locally on the NAS if the desired VPDN session fails to get established because the user was presumed authenticated by an AAA server at the remote enterprise.

While an exec-VPDN HGW accepts a tunneled PPP session without authenticating the PPP clients, the tunnel itself must be mutually authenticated by both the NAS and the HGW. To further reduce security risks, a separate VPDN group with a distinct local name should be created on the HGW so that only the exec-VPDN sessions are accepted without authentication.

Order of Precedence

AAA is extremely flexible; each of the three definitions of AAA services can be configured on the same network access server simultaneously. Because all three definitions of AAA services can be configured simultaneously, Cisco has established an order of precedence to determine which server or groups of servers provide AAA services. The precedence is in the following order:

Per DNIS—If you have configured the network access server to use DNIS to identify or determine which server group provides AAA services, then this method has the highest priority and takes precedence over any additional AAA selection method configured.

Per interface—If you have configured the network access server per interface to use access lists to determine how a server provides AAA services, this method takes precedence over any global configuration AAA access lists you might have configured.

Globally—If you have configured the network access server by using global AAA access lists to determine how the security server provides AAA services, this method has the lowest priority.

Figure 2 Event Sequence Illustration for Shell-Based Exec-VPDN

Table 1 Event Sequence Description Table for Shell-Based Exec-VPDN

Step
Client
NAS
HGW
Notes

1.

Calls in character mode to an asynchronous interface on a NAS

To identify the AAA server to use on the HGW network, the line is configured with a DNIS for the dialed line, or a domain name.

2.

Consults with RPMS if configured, on number calls limit on the DNIS group and call type (asynch or V.120).

If no AAA server can be decided or the call type is not asynch/V.120, then the NAS takes the usual action as with non-exec VPDN cases.

3.

Accepts the call if RPMS is not configured or RPMS says OK; and starts a login terminal service for the line.

If RPMS denies the call, it gives the call an appropriate call treatment specified by the customer RPMS configuration.

4.

Retrieves AAA server information for the DNIS or domain name.

For exec-VPDN, the AAA server is presumed to be at the HGW network.

It is a misconfiguration if no RADIUS or TACACS+ server groups are defined for AAA authentication (for example, only "local" defined).

5.

Enters user ID, password, and so on, as prompted.

Acts as the AAA client to authenticate the login user, then prompts the user based on the NAS conversation with the AAA server.

The AAA server in the HGW network serves the AAA requests from the NAS.

A Cisco NAS supports extended SDI login dialog in conjunction with a AAA server, with retry handling.

It is a misconfiguration if the AAA is not at the HGW network while the DNIS is mapped to the HGW.

6.

Drops the character mode connection, and switches to PPP mode.

Flags the PPP session as "exec-PPP".

The NAS configures "autocommand ppp" on the line interface.

The NAS performs active PPP open, with user=the exec-login user ID and PPP authentication method=none.

7.

Enters PPP mode.

The client enters PPP mode either manually or automatically, passively or actively.

8.

LCP is UP, starts NCP negotiation.

LCP is UP. Tries to forward the PPP session.

With no PPP authentication, NCP starts immediately. The NAS must buffer the NCP packets.

9.

Finds VPDN information based on the DNIS or domain name if VPDN is enabled.

If not enabled or not found, the PPP terminates at the NAS.

It is a misconfiguration if a DNIS is mapped to a remote AAA but without a corresponding VPDN configuration or "vpdn enabled".

10.

Consults RPMS, if configured, on limits of the number of VPDN-sessions, MLP-bundles, and links-per-bundle.

11.

Starts DNIS or domain-based VPDN as triggered by the PPP, if RPMS is not configured or RPMS indicates connection is OK.

If RPMS denies the connection, the NAS tears down the exec-PPP connection (flagged as such by exec PPP), for instance, no local terminated PPP is allowed if exec PPP fails to tunnel because of resource pool limits.

12.

Accepts the VPDN session without authenticating the user again.

This is a normal VPDN session to the HGW with no PPP authentication negotiated.

13.

Forwards LCP proxy data to HGW.

14.

Negotiates NCP with the HGW.

Negotiates NCP with the client.

Normal course of a tunneled PPP session follows.

Related Documents

Cisco IOS Security Configuration Guide ; Cisco IOS Release 12.1

Cisco IOS Security Command Reference ; Cisco IOS Release 12.1

Cisco IOS Dial Services Configuration Guide: Network Services, Cisco IOS Release 12.1

Cisco IOS Dial Services Command Reference, Cisco IOS Release 12.1

Selecting AAA Servers Using DNIS Numbers  Cisco IOS Release 12.0(2)T feature module

AAA Server Groups  Cisco IOS Release 12.0(5)T feature module

Cisco AAA Implementation Case Study 

Supported Platforms

Cisco 806

Cisco 828

Cisco SOHO 78

Cisco 1710

Cisco 2600 series

Cisco 3600 series

Cisco 3631

Cisco 3725

Cisco 3745

Cisco AS5300

Cisco AS5800

Cisco 7200

Cisco URM for IGX8400

Table 2 Cisco IOS Release and Platform Support for this Feature

Platform
12.1(3)XL1
12.2(2)T
12.2(8)T
12.2(11)T

Cisco 806

Not supported

Not supported

X

X

Cisco 828

Not supported

Not supported

X

X

Cisco SOHO 78

Not supported

Not supported

X

X

Cisco 1710

Not supported

Not supported

X

X

Cisco 2600 series

Not supported

X

X

X

Cisco 3600 series

Not supported

X

X

X

Cisco 3631

Not supported

Not supported

X

X

Cisco 3725

Not supported

Not supported

X

X

Cisco 3745

Not supported

Not supported

X

X

Cisco AS5300

Not supported

Not supported

Not supported

X

Cisco AS5800

X

Not supported

Not supported

X

Cisco 7200

Not supported

X

X

X

Cisco URM for IGX8400

Not supported

Not supported

X

X


Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://www.cisco.com/go/fn

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

To obtain lists of MIBs supported by platform and Cisco IOS release and to download MIB modules, go to the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

No new or modified RFCs are supported by this feature.

Prerequisites

This feature requires virtual private dialup network (VPDN), wide area networking (WAN), and authentication, authorization, and accounting (AAA) configurations to be set up before it is implemented. Resource Pool Manager Server (RPMS) configuration can also be used, if needed. Before you configure your NAS or HGW for AAA, you must configure the remote security servers associated with each AAA server group. Refer to the applicable documentation listed in the "Related Documents" section for these other configuration requirements.

If you are not familiar with basic as well as advanced VPDN, and the difference between legacy VPDN and this feature, refer to the applicable documents in the "Related Documents" section.

The exec-VPDN configuration consists of basic configurations of existing technologies:

Normal user information configuration: local or AAA

Normal AAA server configuration for login if a AAA server is used for login

Normal dial-in access interface configuration (serial async, V.120)

Normal (non-tunnel) PPP configuration with no PPP user authentication

Normal AAA server configuration for PPP if AAA is used for PPP

Normal configuration of autocommand ppp on the dial-in access interface to start PPP

Normal VPDN configuration: local or in a AAA profile

Proxy AAA configuration (for instance, GRS)

aaa dnis map command (new)

Note Verify that all of the separate components mentioned previously are operating correctly—by testing them individually—before implementing the Exec-VPDN feature.

Configuration Tasks

To use the aaa dnis map authentication group aaa-server-group configuration command, you must first enable AAA, define a AAA server group, and enable DNIS mapping.

The following sections provide the steps for configuring Exec-VPDN:

Configuring the Network Access Server to Support Exec-VPDN

Configuring the Home Gateway Server

Configuring the Network Access Server to Support Exec-VPDN

Configuring the NAS for AAA

To configure the NAS for AAA, use the following commands, starting in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# aaa new-mode1

Enables the AAA access control model. In addition to starting the AAA access control system, this step immediately locks down login and PPP authentication.

Step 2 

Router(config)# radius-server host ip-address auth-port auth-port-number acct-port acct-port-number

Specifies a list of AAA servers for the NAS to use.

For exec VPDN, the list of server hosts is the list of remote AAA servers on the HGW network. They must be accessible to the NAS.

Step 3 

Router(config)# aaa authentication login name group group-name

Configures a AAA for the login, if doing VPDN based on domain name without proxy AAA to the remote AAA on the HGW network.

The following example maps DNIS number 7777 to the RADIUS server group called ExecVPDN-Login-Servers. Server group ExecVPDN-Login-Servers will use RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS 7777. 

aaa new-model

radius-server host 172.30.0.0 auth-port 1645 key cisco1

aaa group server radius ExecVPDN-Login-Servers

  server 172.30.0.0

aaa dnis map enable

aaa dnis map 7777 authentication ppp group ExecVPDN-Login-Servers

aaa dnis map 7777 authentication login group ExecVPDN-Login-Servers

The AAA servers in the ExecVPDN-Login-Servers server group should reside in the home gateway network that the exec VPDN user intends to tunnel to. 


  server 171.69.71.85

aaa authentication login ExecVPDN-Login group ExecVPDN-Login-Servers


line 1 8

!assuming all logins on lines 1-8 is to be authen'ed at 171.69.71.85

  login authentication ExceVPDN-Login

  autoselect during-login

  autocommand ppp

  modem InOut

  transport input all

  transport output none

  stopbits 1

  speed 115200

When a user logs in by typing client_guy@company1.com at the login prompt, the 171.69.71.85 server is consulted for the authentication. If the authentication succeeds, the autocommand starts PPP immediately without letting the user access the exec shell.

Configuring PPP to Skip User Authentication

To configure the PPP to skip user authentication, use the following command, starting in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# aaa authentication ppp NAME if-needed

Configures PPP so that it skips user authentication if a user has been authenticated at the login prompt.

The following example uses the global RADIUS server definition list for PPP authentication if authentication is needed. 

aaa authentication ppp ExecVPDN-ppp if-needed group radius

PPP config for line 1

int async 1

ip unnumbered e0

encap ppp

async mode interactive

ppp authentication pap ExecVPDN-ppp

Configuring DNIS for Locating a AAA Server

To configure DNIS for locating a AAA server, use the following commands, starting in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# aaa dnis map enable

Enables DNIS mapping for locating a AAA server.

Step 2 

Router(config)# aaa dnis map dnis-number authentication (login | ppp) group server-group-name

Maps a Dialed Number Identification Services (DNIS) number to a particular authentication server group (this server group is used for AAA authentication).

The following example (Again, this configuration is directed to the AAA on the HGW network): 

aaa group server radius eV-login-serv-dnis-1

  server 171.69.71.85 

aaa authentication login eVpdn-login-dnis-1 group eVpdn-login-serv-dnis-1

aaa dnis map enable

aaa dnis map 3335555 authentication login group eVpdn-login-dnis-1

aaa dnis map 3335555 authentication ppp group eVpdn-login-dnis-1

Enabling VPDN

To enable VPDN, use the following command, starting in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# vpdn enable

Enables VPDN.

Alternatively, a static vpdn-group configuration on the NAS can be defined, for instance: 

vpdn-group 1

  request-dialin

    protocol l2tp

    domain company1.com

  initiate-to ip 10.0.3.155

  local name host1_no_authen

Both Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) are supported.

On the dial-up line interface, configure autoselect during-login to allow smooth login terminal services.

On the dial-up line interface, configure autocommand ppp. This denies the PPP user access to the exec shell, but allows entry to (tunneled) PPP.

The Resource Pool Manager Server (RPMS) can be optionally configured.

Multilink PPP Protocol (MLP) can be optionally configured.

Configuring the Home Gateway Server

The HGW must be configured to accept a tunneled PPP session without authenticating the PPP client (this requirement conforms to the L2TP and L2F RFCs). To do this, use the following commands, starting in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# vpdn group number

Specifies a VPDN group for further configuration.

Step 2 

Router(config-vpdn)# l2tp tunnel authentication

Configures the HGW to accept a tunneled PPP session. Tunnel authentication must be on for L2TP (always on for L2F).

Step 3 

Router(config-vpdn)# local name name

The unique local name (something other than the system hostname) that was configured for the VPDN group at the NAS is configured for the VPDN group at the HGW for Exec VPDN. This ensures that only a special pair of VPDN groups at the NAS and the HGW allows L2X connections between them to have no PPP authentication.

Step 4 

Router(config-vpdn)# l2tp password password


A specific, unique, password (L2TP tunnel password) should be used for the VPDN group. This reduces the chance of the password being spoofed.

The following example shows no PPP authentication configured: 

vpdn-group 1

  accept-dialin

    protocol l2tp

    virtual-template 1

  terminate-from hostname host1_no_authen

  l2tp tunnel authentication

  l2tp password no_authen_secret

  local name host2_no_authen

!

interface Virtual-Template1

  ip unnumbered Ethernet0/0

  no keepalive

  ppp authorization no_author

!

The following example shows PPP authentication enabled: 

vpdn-group 2

  accept-dialin

    protocol l2tp

    virtual-template 2

  terminate-from hostname authen_on

  l2tp tunnel authentication

  l2tp password no_authen_secret

  local name host2_autne_on

!

interface Virtual-Template1

  ip unnumbered Ethernet0/0

  no keepalive

  ppp authentication pap

!

Verifying Shell-Based Authentication

To verify that a user can log in and get either an L2TP or L2F tunnel established and to see who is connected, use the show users command.

To see the L2F tunnels and to verify that the number of L2X tunnels and sessions are correctly used, the show vpdn command.

NAS Configuration 

st-5300-c2#sh run

Building configuration...


Current configuration:

!

version 12.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname st-5300-c2

!

no logging buffered

aaa new-model

aaa group server radius Exec-VPDN-Login-Servers

 server 171.69.69.72 auth-port 1645 acct-port 1646

!

aaa authentication login Exec-VPDN-login group Exec-VPDN-Login-Servers

aaa authentication ppp Exec-VPDN-ppp if-needed group Exec-VPDN-Login-Servers

aaa authorization network default group Exec-VPDN-Login-Servers

aaa authorization network no_author none 

enable password lab

!

!<snip>

!

spe 1/0 1/7

 firmware location system:/ucode/mica_port_firmware

!

resource-pool disable

!

ip subnet-zero

ip ftp source-interface Ethernet0

ip ftp username root

ip ftp password lab

no ip domain-lookup

!

vpdn enable

no vpdn logging

vpdn search-order domain 

!

isdn switch-type primary-5ess

cns event-service server


mta receive maximum-recipients 0

!

controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 1

 framing esf

 clock source line secondary 1

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 2

 framing esf

 clock source line secondary 2

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 3

 framing esf

 clock source line secondary 3

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 4

 framing esf

 clock source line secondary 4

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 5

 framing esf

 clock source line secondary 5

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 6

 framing esf

 clock source line secondary 6

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 7

 framing esf

 clock source line secondary 7

 linecode b8zs

 pri-group timeslots 1-24

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

 ip address 1.1.2.1 255.255.255.0

 no ip route-cache

 no ip mroute-cache

 no cdp enable

!

interface Virtual-Template1

 no ip address

!

interface Virtual-Template5

 no ip address

!

interface Serial0

 no ip address

 shutdown

 no fair-queue

 clockrate 2015232

 no cdp enable

!

interface Serial1

 no ip address

 shutdown 

 no fair-queue

 clockrate 2015232

 no cdp enable

!

interface Serial2

 no ip address

 shutdown

 no fair-queue

 clockrate 2015232

 no cdp enable

!

interface Serial3

 no ip address

 shutdown

 no fair-queue

 clockrate 2015232

 no cdp enable

!

interface Serial0:23

 ip unnumbered Ethernet0

 encapsulation ppp

 ip mroute-cache

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

 ppp authentication pap Exec-VPDN-ppp

 ppp authorization no_author

 ppp multilink

!

interface Serial1:23

 no ip address

 encapsulation ppp

 ip mroute-cache

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

!

interface Serial2:23

 no ip address

 encapsulation ppp

 ip mroute-cache

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

!

interface Serial3:23

 no ip address

 encapsulation ppp

 ip mroute-cache

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

!

interface Serial4:23

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

!

interface Serial5:23

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

!

interface Serial6:23

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

!         

interface Serial7:23

 no ip address

 encapsulation ppp

 ip mroute-cache

 dialer-group 1

 isdn switch-type primary-5ess

 isdn incoming-voice modem

 no peer default ip address

 no fair-queue

 no cdp enable

!

interface FastEthernet0

 no ip address

 no ip route-cache

 no ip mroute-cache

 no keepalive

 shutdown

 duplex auto

 speed auto

 no cdp enable

!

interface Group-Async1

 ip unnumbered Ethernet0

 encapsulation ppp

 async mode interactive

 no peer default ip address

 no fair-queue

 ppp authentication pap Exec-VPDN-ppp

 ppp authorization no_author

 ppp multilink

 group-range 1 48

!

interface Dialer1

 ip unnumbered Loopback0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer in-band

 dialer idle-timeout 2147483

 dialer-group 1

 peer default ip address pool default

 no fair-queue

 no cdp enable

 ppp authentication pap Exec-VPDN-ppp

 ppp authorization no_author

 ppp multilink

!         

interface Dialer13

 ip address 8.8.10.8 255.255.255.0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer remote-name useless_remote13

 dialer pool 2

 dialer idle-timeout 2147483

 dialer string 4085211002

 dialer load-threshold 1 either

 dialer max-call 4096

 dialer-group 2

 pulse-time 0

 no cdp enable

 ppp chap hostname user1@hoki10.com

 ppp chap password 7 09404F0B

 ppp multilink

 ppp timeout multilink link add 3

!

interface Dialer25

 ip address 8.8.11.8 255.255.255.0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer remote-name useless_remote25

 dialer pool 3

 dialer idle-timeout 2147483

 dialer string 4085211003

 dialer load-threshold 1 either

 dialer max-call 4096

 dialer-group 2

 pulse-time 0

 no cdp enable

 ppp chap hostname user1@hoki11.com

 ppp chap password 7 020A0559

 ppp multilink

 ppp timeout multilink link add 3

!

interface Dialer37

 ip address 8.8.12.8 255.255.255.0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer remote-name useless_remote37

 dialer pool 4

 dialer idle-timeout 2147483

 dialer string 4085211004

 dialer load-threshold 1 either

 dialer max-call 4096

 dialer-group 2

 no cdp enable

 ppp chap hostname user1@hoki12.com

 ppp chap password 7 03085A09

 ppp multilink

 ppp timeout multilink link add 3

!

interface Dialer49

 ip address 8.8.13.8 255.255.255.0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer remote-name useless_remote49

 dialer pool 5

 dialer idle-timeout 2147483

 dialer string 4085211101

 dialer load-threshold 1 either

 dialer max-call 4096

 dialer-group 2

 no cdp enable

 ppp chap hostname user1@hoki13.com

 ppp chap password 7 0703204E

 ppp multilink

 ppp timeout multilink link add 3

!

interface Dialer61

 ip address 8.8.14.8 255.255.255.0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer remote-name useless_remote61

 dialer pool 6

 dialer idle-timeout 2147483

 dialer string 4085211102

 dialer load-threshold 1 either

 dialer max-call 4096

 dialer-group 2

 no cdp enable

 ppp chap hostname user1@hoki14.com

 ppp chap password 7 11051807

 ppp multilink

 ppp timeout multilink link add 3

!

interface Dialer73

 ip address 8.8.15.8 255.255.255.0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer remote-name useless_remote73

 dialer pool 7

 dialer idle-timeout 2147483

 dialer string 4085211103

 dialer load-threshold 1 either

 dialer max-call 4096

 dialer-group 2

 no cdp enable

 ppp chap hostname user1@hoki15.com

 ppp chap password 7 00081204

 ppp multilink

 ppp timeout multilink link add 3

!

interface Dialer85

 ip address 8.8.16.8 255.255.255.0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 dialer remote-name useless_remote85

 dialer pool 8

 dialer idle-timeout 2147483

 dialer string 4085211104

 dialer load-threshold 1 either

 dialer max-call 4096

 dialer-group 2

 no cdp enable

 ppp chap hostname user1@hoki16.com

 ppp chap password 7 03085A09

 ppp multilink

 ppp timeout multilink link add 3

!

ip local pool default 50.0.0.1 50.0.0.10

ip default-gateway 1.1.2.254

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.2.254

ip route 171.69.0.0 255.255.0.0 1.1.2.254

ip route 172.21.0.0 255.255.0.0 1.1.2.254

no ip http server

!

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

radius-server host 171.69.69.72 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key cisco

!

line con 0

 exec-timeout 0 0

 transport input none

line 1 48

 exec-timeout 0 0

 autoselect during-login

 login authentication Exec-VPDN-login

 modem InOut

 autocommand  ppp

 transport input all

 transport output lat pad mop telnet rlogin udptn v120 lapb-ta nasi

line aux 0

line vty 0 4

 exec-timeout 0 0

 password cisco

 login authentication Exec-VPDN-login

!

scheduler interval 1000

end


Configuration for a Cisco 3640 HGW 

st-3640-n3#show running

Building configuration...


Current configuration:

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname st-3640-n3

!

no logging buffered

enable password <snip>

!

<snip>

!

ip subnet-zero

ip ftp source-interface FastEthernet3/0

ip ftp username root

ip ftp password lab

ip domain-list nlab.cisco.com

ip domain-list cisco.com

ip domain-list .

ip domain-name cisco.com

ip name-server 172.21.200.3

ip name-server 171.69.2.133

ip name-server 198.92.30.32

!

vpdn enable

no vpdn logging

!

vpdn-group 1

 accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname nas

 local name hgw

 l2tp tunnel password 7 14191D340D113E2321260C262710151317

!

vpdn-group 2

 accept-dialin

  protocol l2tp

  virtual-template 2

 terminate-from hostname nas1

 local name hgw

 l2tp tunnel password 7 151C0433053F3F2C2D3D0A311604040615

!

vpdn-group 3

 accept-dialin

  protocol l2tp

  virtual-template 3

 terminate-from hostname nas2

 local name hgw

 l2tp tunnel password 7 045504390E3458460C173A0417081E013E

!

isdn switch-type primary-5ess

cns event-service server

!

controller T1 1/0

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

!

controller T1 1/1

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

!

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

!

interface Ethernet0/0

 no ip address

 shutdown

!

interface Ethernet0/1

 no ip address

 shutdown

!

interface Ethernet0/2

 no ip address

 shutdown

!

interface Ethernet0/3

 no ip address

 shutdown

!

interface Serial1/0:23

 no ip address

 ip mroute-cache

 isdn switch-type primary-5ess

 fair-queue 64 256 0

 no cdp enable

!

interface Serial1/1:23

 no ip address

 ip mroute-cache

 isdn switch-type primary-5ess

 fair-queue 64 256 0

 no cdp enable

!         

interface BRI2/0

 ip address 10.1.1.1 255.255.255.0

 dialer string 4085210801

 dialer-group 1

 isdn switch-type basic-5ess

!

interface BRI2/1

 ip address 100.1.1.1 255.255.255.0

 dialer string 4085210801

 dialer-group 1

 isdn switch-type basic-ni

!

interface BRI2/2

 no ip address

 shutdown

 isdn switch-type basic-ni

!

interface BRI2/3

 no ip address

 shutdown

 isdn switch-type basic-ni

!

interface BRI2/4

 no ip address

 shutdown

 isdn switch-type basic-ni

!

interface BRI2/5

 no ip address

 shutdown

 isdn switch-type basic-ni

!

interface BRI2/6

 no ip address

 shutdown

 isdn switch-type basic-ni

!

interface BRI2/7

 no ip address

 shutdown

 isdn switch-type basic-ni

!

interface FastEthernet3/0

 ip address 1.1.2.2 255.255.255.0

 no keepalive

 duplex auto

 speed auto

!

interface Virtual-Template1

 ip unnumbered FastEthernet3/0

 ip mroute-cache

 no keepalive

 peer default ip address pool default

 ppp authorization no_author

 ppp multilink

!

interface Virtual-Template2

 ip unnumbered FastEthernet3/0

 ip mroute-cache

 no keepalive

 peer default ip address pool default

 ppp authorization no_author

 ppp multilink

!

interface Virtual-Template3

 ip unnumbered FastEthernet3/0

 ip mroute-cache

 no keepalive

 peer default ip address pool default

 ppp authorization no_author

 ppp multilink

!

interface Virtual-Template5

 ip unnumbered Ethernet0/0

 ip mroute-cache

 no keepalive

 peer default ip address pool default

 ppp authentication chap

!

interface Group-Async1

 physical-layer async

 no ip address

!

interface Dialer1

 no ip address

 dialer in-band

 dialer idle-timeout 5

 dialer wait-for-carrier-time 5

 dialer hold-queue 5

 dialer-group 1

 no cdp enable

!

interface Dialer2

 no ip address

 encapsulation ppp

 dialer remote-name router

 dialer pool 2

 dialer idle-timeout 5

 dialer wait-for-carrier-time 5

 dialer string 5551212

 dialer hold-queue 5