CiscoSecure ACS for UNIX, 2.3(5) - NAS Configuration Examples [Cisco Secure Access Control Server for Unix]

Configuring Your Cisco NAS for Lock and Key

Configuring the NAS for Remote Node IP and IPX Dial-Up

Configuring Your NAS for ISDN Dial-Up to a Cisco AS5200

Configuring the NAS for Remote Node IP Dial-Up

NAS Configuration Examples

This chapter provides examples you can apply directly to your own CiscoSecure Access Control Server (ACS). Use the information here to help you configure your CiscoSecure ACS and Cisco network access server (NAS) for the following:

•RADIUS

•Lock and Key

•Remote node IP and IPX dial-up

•ISDN dial-up to a Cisco AS5200

•Remote node IP dial-up

Configuring Your Cisco NAS for RADIUS

Because the CiscoSecure ACS supports the RADIUS protocol, you can configure your NAS for RADIUS and achieve the same, or equivalent, security services as with the TACACS+ protocol.

The following example illustrates a typical configuration for an ISP with an existing RADIUS installation. In this sample configuration, the Cisco AS5200 can use the same authentication and accounting servers as other vendors' equipment. The result is uniform authentication, authorization, and accounting services, which in turn provides centralized user management and accounting records necessary for billing.

You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for RADIUS-based security services:

Current configuration:

version 11.1

service udp-small-servers

service tcp-small-servers

hostname isdn-14

aaa new-model

aaa authentication login default none

aaa authentication login console line

aaa authentication login secure radius local

aaa authentication login vty line

aaa authentication ppp default none

aaa authentication ppp secure if-needed radius local

aaa authorization exec radius

aaa authorization network radius

aaa accounting exec start-stop radius

aaa accounting network start-stop radius

username backup password radiusISdown

ip radius source-interface Ethernet0

rlogin trusted-remoteuser-source local

rlogin trusted-localuser-source radius

isdn switch-type primary-5ess

controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

controller T1 1

 framing esf

 clock source line secondary

 linecode b8zs

 pri-group timeslots 1-24

interface Loopback0

 ip address 171.68.187.254 255.255.255.0

interface Ethernet0

 ip address 172.16.25.15 255.255.255.224

interface Serial0

 no ip address

 shutdown

interface Serial1

 no ip address

 shutdown

interface Serial0:23

 ip unnumbered Loopback0

 encapsulation ppp

 isdn incoming-voice modem

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Serial1:23

 ip unnumbered Loopback0

 encapsulation ppp

 isdn incoming-voice modem

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Group-Async1

 ip unnumbered Loopback0

 ip tcp header-compression passive

 encapsulation ppp

 async mode interactive

 peer default ip address pool default

 dialer-group 1

 ppp authentication chap pap secure

 group-range 1 48

interface Dialer1

 ip unnumbered Loopback0

 encapsulation ppp

 peer default ip address pool default

 ppp multilink

 ppp authentication chap pap secure

 dialer-group 1

ip local pool default 171.68.187.1 171.68.187.48

ip domain-name cisco.com

ip name-server 171.68.10.70

no ip classless

async-bootp dns-server 171.68.10.70

radius-server host 172.16.72.41

radius-server host 172.16.72.42

radius-server timeout 3

radius-server key MYSECRET

dialer-list 1 protocol ip permit

line con 0

 login authentication console

 password cisco

line 1 48

 session-timeout 15 output

 autoselect during-login

 autoselect ppp

 login authentication secure

 modem InOut

 transport input all

line aux 0

line vty 0 4

 login authentication vty

 password secret

end

Configuring Your Cisco NAS for Lock and Key

The Lock and Key Security feature, starting with Cisco IOS Release 11.1 software, offers an improved security solution: the Key Security feature (see Figure 18-1). Lock and Key security defines dynamic access control lists (ACL) that grant access per user, on a specific source/destination host basis through a user authentication process.

In essence, you can dynamically allow user access through a firewall without compromising security.

Figure 18-1 Lock and Key with CiscoSecure ACS

In a typical environment, Lock and Key security puts in place a fixed access control list (ACL) that filters all traffic except for Telnet traffic until a remote user has been authenticated with the security mechanism.

When a user logs in and successfully authenticates with the CiscoSecure ACS, the ACS issues the access-enable command to the NAS, which confirms that the user is on an ACL and activates a configuration template that alters the ACL for the incoming interface to enable the privileges allowed to the authenticated user.

After authentication, a specific ACL is put in place, for the Telnet port only, that allows the authenticating of user/network access beyond the firewall.

Caution

Lock and Key security allows an external event to place an opening in the firewall. After this opening is placed, the router is susceptible to source address spoofing. To prevent this, you need to provide encryption support using IP authentication or encryption.

You can enter the following sample configuration to immediately enable Lock and Key with the CiscoSecure ACS. This configuration enables Lock and Key functionality on a Cisco 2511. Depending on your NAS and network topology, you might have to modify the configuration slightly to meet your exact needs.

NAS "delta" configuration

=========================

! simple tacacs+ configuration. You need EXEC authorization to execute

! the autocommand configured for the user

aaa new-model

aaa authentication login default tacacs+

aaa authorization exec tacacs+

tacacs-server host 10.10.1.200

tacacs-server key secret

! Now configure the access-list. The fixed access list should deny

! traffic except for telnet to the router itself and deny everything

! else. The dynamic part of the access-list determines what access

! the user will have after they have authenticated themselves. In

! this case, the user will have full IP access after authentication.

access-list 101 permit tcp any host 10.10.1.254 eq telnet

access-list 101 dynamic temp permit ip any any

! Now apply the access-list inbound to the dial-up interfaces

int s0:23

 ip access-group 101 in

CiscoSecure database

================

# match keys with the NAS

key = "secret"

# definition of the lock&key user

user = unlockme {

	# his LOGIN password

        password = clear "key"

	# define user's EXEC authorization profile

	service = exec {

		# this will unlock the access-list for

		# the user for 15 minutes

                set autocmd = "access-enable 15"

Full NAS configuration

======================

DEMO1#wr t

Building configuration...

Current configuration:

version 11.1

service udp-small-servers

service tcp-small-servers

hostname Router

aaa new-model

aaa authentication login default tacacs+

aaa authorization exec tacacs+

interface Ethernet0

 ip address 10.10.1.254 255.255.255.0

interface Serial0:23

 ip address 10.10.2.254 255.255.255.0

 ip access-group 101 in

 encapsulation ppp

 dialer map ip 10.10.2.1 name cisco-1004 broadcast

 dialer-group 1

 ppp authentication chap

access-list 101 permit tcp any host 10.10.2.254 eq telnet

access-list 101 dynamic temp permit ip any any

tacacs-server host 10.10.1.200

tacacs-server key secret

line con 0

line aux 0

line vty 0 4

end

Configuring the NAS for Remote Node IP and IPX Dial-Up

In this next example (see Figure 18-2), a remote node dials in to a NAS, authenticates by means of the CiscoSecure ACS, and is authorized on a protected IPX network.

Figure 18-2 Address Scheme for Routers Dialing in to the Cisco AS5200

You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP and IPX dial-up. Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs.

Remote Node IP and IPX Dial-Up Configuration:

version 11.1

service udp-small-servers

service tcp-small-servers

hostname AS5200

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication ppp default if-needed tacacs+

aaa authorization exec

aaa authorization network

aaa accounting exec start-stop tacacs+

aaa accounting network start-stop tacacs+

isdn switch-type primary-5ess

ipx routing

controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

controller T1 1

 framing esf

 clock source line secondary

 linecode b8zs

 pri-group timeslots 1-24

interface Loopback0

 ip address 10.10.2.254 255.255.255.0

 ipx network AAAA

 ipx sap-interval 0

interface Ethernet0

 ip address 10.10.1.254 255.255.255.0

 ipx network BBBB

interface Serial0

 no ip address

 shutdown

interface Serial1

 no ip address

 shutdown

interface Serial0:23

 ip unnumbered Loopback0

 encapsulation ppp

 isdn incoming-voice modem

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Serial1:23

 ip unnumbered Loopback0

 encapsulation ppp

 isdn incoming-voice modem

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Group-Async1

 ip unnumbered Loopback0

 ip tcp header-compression passive

 encapsulation ppp

 async mode interactive

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer-group 1

 no cdp enable

 ppp authentication chap pap

 group-range 1 48

interface Dialer1

 ip unnumbered Loopback0

 encapsulation ppp

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer-group 1

 ppp multilink

 ppp authentication chap pap

tacacs-server host 10.10.1.200

tacacs-server key secret

ip local pool default 10.10.2.1 10.10.2.48

ipx router rip

 no network AAAA

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

line con 0

line 1 48

 autoselect during-login

 autoselect ppp

 login local

 modem InOut

 modem autoconfigure type microcom_hdms

 transport input all

 stopbits 1

 rxspeed 115200

 txspeed 115200

 flowcontrol hardware

line aux 0

line vty 0 4

end

Configuring Your NAS for ISDN Dial-Up to a Cisco AS5200

You can enter the following sample configuration directly into your NAS to immediately enable CiscoSecure ACS for ISDN dial-up to a Cisco AS5200. (See Figure 18-3.)

Figure 18-3

ISDN Dial-Up to a Cisco AS5200

Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs.

Current configuration:

version 11.1

service udp-small-servers

service tcp-small-servers

hostname AS5200

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication ppp default if-needed tacacs+

aaa authorization exec

aaa authorization network

aaa accounting exec start-stop tacacs+

aaa accounting network start-stop tacacs+

isdn switch-type primary-5ess

ipx routing

controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

controller T1 1

 framing esf

 clock source line secondary

 linecode b8zs

 pri-group timeslots 1-24

interface Loopback0

 ip address 10.10.2.254 255.255.255.0

 ipx network AAAA

 ipx sap-interval 0

interface Ethernet0

 ip address 10.10.1.254 255.255.255.0

 ipx network BBBB

interface Serial0

 no ip address

 shutdown

interface Serial1

 no ip address

 shutdown

interface Serial0:23

 ip unnumbered Loopback0

 encapsulation ppp

 isdn incoming-voice modem

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Serial1:23

 ip unnumbered Loopback0

 encapsulation ppp

 isdn incoming-voice modem

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Group-Async1

 ip unnumbered Loopback0

 ip tcp header-compression passive

 encapsulation ppp

 async mode interactive

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer-group 1

 no cdp enable

 ppp authentication chap pap

 group-range 1 48

interface Dialer1

 ip unnumbered Loopback0

 encapsulation ppp

 ipx ppp-client Loopback0

 peer default ip address pool default

 dialer-group 1

 ppp multilink

 ppp authentication chap pap

tacacs-server host 10.10.1.200

tacacs-server key secret

ip local pool default 10.10.2.1 10.10.2.48

ipx router rip

 no network AAAA

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

line con 0

line 1 48

 autoselect during-login

 autoselect ppp

 login local

 modem InOut

 modem autoconfigure type microcom_hdms

 transport input all

 stopbits 1

 rxspeed 115200

 txspeed 115200

 flowcontrol hardware

line aux 0

line vty 0 4

end

Configuring the NAS for Remote Node IP Dial-Up

You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP dial-up. (See Figure 18-4.)

Figure 18-4 Remote Node IP Dial-Up

Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs.

Current configuration:

version 11.1

service udp-small-servers

service tcp-small-servers

hostname AS5200

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication ppp default if-needed tacacs+

aaa authorization exec

aaa authorization network

aaa accounting exec start-stop tacacs+

aaa accounting network start-stop tacacs+

isdn switch-type primary-5ess

controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

controller T1 1

 framing esf

 clock source line secondary

 linecode b8zs

 pri-group timeslots 1-24

interface Ethernet0

 ip address 10.10.1.254 255.255.255.0

interface Serial0

 no ip address

 shutdown

interface Serial1

 no ip address

 shutdown

interface Serial0:23

 ip unnumbered Ethernet0

 encapsulation ppp

 isdn incoming-voice modem

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Serial1:23

 ip unnumbered Ethernet0

 encapsulation ppp

 isdn incoming-voice modem

 peer default ip address pool default

 dialer rotary-group 1

 dialer-group 1

interface Group-Async1

 ip unnumbered Ethernet0

 ip tcp header-compression passive

 encapsulation ppp

 async mode interactive

 peer default ip address pool default

 dialer-group 1

 no cdp enable

 ppp authentication chap pap

 group-range 1 48

interface Dialer1

 ip unnumbered Ethernet0

 encapsulation ppp

 peer default ip address pool default

 dialer-group 1

 ppp multilink

 ppp authentication chap pap

tacacs-server host 10.10.1.200

tacacs-server key secret

ip local pool default 10.10.1.1 10.10.1.48

dialer-list 1 protocol ip permit

line con 0

 exec-timeout 0 0

line 1 48

 autoselect during-login

 autoselect ppp

 login local

 modem InOut

 modem autoconfigure type microcom_hdms

 transport input all

 stopbits 1

 rxspeed 115200

 txspeed 115200

 flowcontrol hardware

line aux 0

line vty 0 4

end

	CiscoSecure ACS for UNIX, 2.3(5)
	NAS Configuration Examples
CiscoSecure ACS for UNIX, 2.3(5) Requires Immediate Attention, 2.3(5) Release Notes for CiscoSecure ACS 2.3(5) for UNIX CiscoSecure ACS 2.3 for UNIX Installation Guide About This Guide Introduction to the CiscoSecure ACS Software CiscoSecure ACS Components Overview Configuring Initial Test Group and User Profiles Simple User and ACS Management Advanced Group and User Management ACS and NAS Management Limiting and Tracking Sessions Per User, Group, or VPDN Strategies for Applying Attributes CiscoSecure ACS Accounting Configuring the NAS for TACACS+ Configuring the NAS for RADIUS Token Server Support Troubleshooting Information Converting an Existing AA Database for CiscoSecure ACS 2.3 Tuning CiscoSecure ACS Performance and Configuration Using the Command-Line Administrator Interface NAS Configuration Examples RADIUS Attribute-Value Pairs and Dictionary Management CiscoSecure ACS Database Structure Setting Up Database Replication among CiscoSecure ACSes Enhancing Management Security CiscoSecure ACS File Formats and Syntax Configuring CiscoSecure UNIX Server Software References and Recommended Reading CiscoSecure Profile and NAS Configuration Examples	Download this chapter NAS Configuration Examples Table Of Contents NAS Configuration Examples Configuring Your Cisco NAS for RADIUS Configuring Your Cisco NAS for Lock and Key Configuring the NAS for Remote Node IP and IPX Dial-Up Configuring Your NAS for ISDN Dial-Up to a Cisco AS5200 Configuring the NAS for Remote Node IP Dial-Up NAS Configuration Examples This chapter provides examples you can apply directly to your own CiscoSecure Access Control Server (ACS). Use the information here to help you configure your CiscoSecure ACS and Cisco network access server (NAS) for the following: •RADIUS •Lock and Key •Remote node IP and IPX dial-up •ISDN dial-up to a Cisco AS5200 •Remote node IP dial-up Configuring Your Cisco NAS for RADIUS Because the CiscoSecure ACS supports the RADIUS protocol, you can configure your NAS for RADIUS and achieve the same, or equivalent, security services as with the TACACS+ protocol. The following example illustrates a typical configuration for an ISP with an existing RADIUS installation. In this sample configuration, the Cisco AS5200 can use the same authentication and accounting servers as other vendors' equipment. The result is uniform authentication, authorization, and accounting services, which in turn provides centralized user management and accounting records necessary for billing. You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for RADIUS-based security services: Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname isdn-14 ! aaa new-model aaa authentication login default none aaa authentication login console line aaa authentication login secure radius local aaa authentication login vty line aaa authentication ppp default none aaa authentication ppp secure if-needed radius local aaa authorization exec radius aaa authorization network radius aaa accounting exec start-stop radius aaa accounting network start-stop radius ! username backup password radiusISdown ip radius source-interface Ethernet0 rlogin trusted-remoteuser-source local rlogin trusted-localuser-source radius isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 171.68.187.254 255.255.255.0 ! interface Ethernet0 ip address 172.16.25.15 255.255.255.224 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address pool default dialer-group 1 ppp authentication chap pap secure group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp peer default ip address pool default ppp multilink ppp authentication chap pap secure dialer-group 1 ! ip local pool default 171.68.187.1 171.68.187.48 ip domain-name cisco.com ip name-server 171.68.10.70 no ip classless async-bootp dns-server 171.68.10.70 ! radius-server host 172.16.72.41 radius-server host 172.16.72.42 radius-server timeout 3 radius-server key MYSECRET ! dialer-list 1 protocol ip permit ! line con 0 login authentication console password cisco line 1 48 session-timeout 15 output autoselect during-login autoselect ppp login authentication secure modem InOut transport input all line aux 0 line vty 0 4 login authentication vty password secret ! end Configuring Your Cisco NAS for Lock and Key The Lock and Key Security feature, starting with Cisco IOS Release 11.1 software, offers an improved security solution: the Key Security feature (see Figure 18-1). Lock and Key security defines dynamic access control lists (ACL) that grant access per user, on a specific source/destination host basis through a user authentication process. In essence, you can dynamically allow user access through a firewall without compromising security. Figure 18-1 Lock and Key with CiscoSecure ACS In a typical environment, Lock and Key security puts in place a fixed access control list (ACL) that filters all traffic except for Telnet traffic until a remote user has been authenticated with the security mechanism. When a user logs in and successfully authenticates with the CiscoSecure ACS, the ACS issues the access-enable command to the NAS, which confirms that the user is on an ACL and activates a configuration template that alters the ACL for the incoming interface to enable the privileges allowed to the authenticated user. After authentication, a specific ACL is put in place, for the Telnet port only, that allows the authenticating of user/network access beyond the firewall. Caution Lock and Key security allows an external event to place an opening in the firewall. After this opening is placed, the router is susceptible to source address spoofing. To prevent this, you need to provide encryption support using IP authentication or encryption. You can enter the following sample configuration to immediately enable Lock and Key with the CiscoSecure ACS. This configuration enables Lock and Key functionality on a Cisco 2511. Depending on your NAS and network topology, you might have to modify the configuration slightly to meet your exact needs. NAS "delta" configuration ========================= ! simple tacacs+ configuration. You need EXEC authorization to execute ! the autocommand configured for the user ! aaa new-model aaa authentication login default tacacs+ aaa authorization exec tacacs+ ! tacacs-server host 10.10.1.200 tacacs-server key secret ! ! Now configure the access-list. The fixed access list should deny ! traffic except for telnet to the router itself and deny everything ! else. The dynamic part of the access-list determines what access ! the user will have after they have authenticated themselves. In ! this case, the user will have full IP access after authentication. ! access-list 101 permit tcp any host 10.10.1.254 eq telnet access-list 101 dynamic temp permit ip any any ! ! Now apply the access-list inbound to the dial-up interfaces ! int s0:23 ip access-group 101 in CiscoSecure database ================ # match keys with the NAS key = "secret" # definition of the lock&key user user = unlockme { # his LOGIN password password = clear "key" # define user's EXEC authorization profile service = exec { # this will unlock the access-list for # the user for 15 minutes set autocmd = "access-enable 15" } } Full NAS configuration ====================== DEMO1#wr t Building configuration... Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname Router ! aaa new-model aaa authentication login default tacacs+ aaa authorization exec tacacs+ ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ! interface Serial0:23 ip address 10.10.2.254 255.255.255.0 ip access-group 101 in encapsulation ppp dialer map ip 10.10.2.1 name cisco-1004 broadcast dialer-group 1 ppp authentication chap ! access-list 101 permit tcp any host 10.10.2.254 eq telnet access-list 101 dynamic temp permit ip any any tacacs-server host 10.10.1.200 tacacs-server key secret ! line con 0 line aux 0 line vty 0 4 ! end Configuring the NAS for Remote Node IP and IPX Dial-Up In this next example (see Figure 18-2), a remote node dials in to a NAS, authenticates by means of the CiscoSecure ACS, and is authorized on a protected IPX network. Figure 18-2 Address Scheme for Routers Dialing in to the Cisco AS5200 You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP and IPX dial-up. Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs. Remote Node IP and IPX Dial-Up Configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! ipx routing ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.10.2.254 255.255.255.0 ipx network AAAA ipx sap-interval 0 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ipx network BBBB ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.2.1 10.10.2.48 ! ipx router rip no network AAAA ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end Configuring Your NAS for ISDN Dial-Up to a Cisco AS5200 You can enter the following sample configuration directly into your NAS to immediately enable CiscoSecure ACS for ISDN dial-up to a Cisco AS5200. (See Figure 18-3.) Figure 18-3 ISDN Dial-Up to a Cisco AS5200 Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs. Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! ipx routing ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.10.2.254 255.255.255.0 ipx network AAAA ipx sap-interval 0 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ipx network BBBB ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.2.1 10.10.2.48 ! ipx router rip no network AAAA ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end Configuring the NAS for Remote Node IP Dial-Up You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP dial-up. (See Figure 18-4.) Figure 18-4 Remote Node IP Dial-Up Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs. Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Ethernet0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Ethernet0 encapsulation ppp peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.1.1 10.10.1.48 ! dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.

Table Of Contents

NAS Configuration Examples

Configuring Your Cisco NAS for RADIUS

Configuring Your Cisco NAS for Lock and Key

Configuring the NAS for Remote Node IP and IPX Dial-Up

Configuring Your NAS for ISDN Dial-Up to a Cisco AS5200

Configuring the NAS for Remote Node IP Dial-Up