12-04-2002 07:20 AM - edited 03-10-2019 07:04 AM
Hi All
I have a NAS which will be using dialler profiles along with a virtual template. What I would ideally like is 2 virtual templates on the same router .... one for spoke routers dialling in for which no per user dialler is available and a seperate one for , perhaps virtual-template 2 for ISDN TA users dialling in. I have seen somewhere that it may be possibe through the cisco secure acs point diallin users through to a specific virtual template.
Any advice would be greatly appreciated.
12-04-2002 08:24 AM
If you want to use 2 separate methods for dialin clients on virtual templates, you can create 2 separate lists for network authorization like:
aaa authorization network SPOKE if-authenticated radius
aaa authorization network TA radius if-authenticated
interface Virtual-Template1
ppp authorization SPOKE
interface Virtual-Template2
ppp authorization TA
If needed, you could do the same for authentication.
There are probably some examples of this if you searched on virtual-template on CCO.
Hope this helps.
12-07-2002 11:17 AM
Hi
Thanks for reply .... sorry I am quite new to this ... and will check out examples of this on the web.
Just a couple of Q's .... how does the router know whether the call is coming in from a TA or a spoke router, do I need to specify anything on the ACS and also, silly Q but what is the if-authenticated for?
Many thanks for again for reply
Regards
12-09-2002 09:35 AM
This is done through using two separate lists for authentication/authorization like in the example I mentioned earlier. If using v.120 you would use this command:
vty-async virtual-template 2
If your question related to how it determines a call type and where to terminate it, this is all part of the ISDN Q931 bearer cap information.
"if-authenticated" verifies you are succefully authenticated before performing authorization.
Thanks
12-10-2002 02:59 AM
Thanks for reply
I will give this a try
12-16-2002 12:17 PM
Hi
I hope you can help .... I tried your example, spoke were to dial into virtual-template 1 and TA's into virtual-template 2. But what happened is that the TA's alway dialled into template 1. I changed the virtual-profile virtual-template 2 command aswell but no joy.
Any suggestions would be appreciated as I really could do with spoke routers and TA users coming in on seperate templates.
Best regards
12-16-2002 12:30 PM
Are you using V.120?
12-16-2002 01:55 PM
Try this:
aaa authentication ppp AUTHEN if-needed radius
aaa authorization network ISDN radius if-authenticated
vty-async
vty-async ppp authentication chap pap AUTHEN
vty-async virtual-template 2
interface Virtual-Template2
ppp authentication chap pap callin AUTHEN
ppp authorization ISDN
12-16-2002 03:36 PM
Hi
No v120 just sync ppp on the TA's, authenticating to the Radius server, and spokes will be using a local usernames and passwords on the NAS (shared password).
Thanks for your post
Is your last post still the way to go
Many thanks for your time
Best regards
12-16-2002 04:12 PM
Just disregard the vty async commands, the list method should work.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide