2 virtual templates on the same router

karl.jones · ‎12-04-2002

Hi All

I have a NAS which will be using dialler profiles along with a virtual template. What I would ideally like is 2 virtual templates on the same router .... one for spoke routers dialling in for which no per user dialler is available and a seperate one for , perhaps virtual-template 2 for ISDN TA users dialling in. I have seen somewhere that it may be possibe through the cisco secure acs point diallin users through to a specific virtual template.

Any advice would be greatly appreciated.

4brown · ‎12-04-2002

If you want to use 2 separate methods for dialin clients on virtual templates, you can create 2 separate lists for network authorization like:

aaa authorization network SPOKE if-authenticated radius

aaa authorization network TA radius if-authenticated

interface Virtual-Template1

ppp authorization SPOKE

interface Virtual-Template2

ppp authorization TA

If needed, you could do the same for authentication.

There are probably some examples of this if you searched on virtual-template on CCO.

Hope this helps.

karl.jones · ‎12-07-2002

Hi

Thanks for reply .... sorry I am quite new to this ... and will check out examples of this on the web.

Just a couple of Q's .... how does the router know whether the call is coming in from a TA or a spoke router, do I need to specify anything on the ACS and also, silly Q but what is the if-authenticated for?

Many thanks for again for reply

Regards

4brown · ‎12-09-2002

This is done through using two separate lists for authentication/authorization like in the example I mentioned earlier. If using v.120 you would use this command:

vty-async virtual-template 2

If your question related to how it determines a call type and where to terminate it, this is all part of the ISDN Q931 bearer cap information.

"if-authenticated" verifies you are succefully authenticated before performing authorization.

Thanks

karl.jones · ‎12-10-2002

Thanks for reply

I will give this a try

karl.jones · ‎12-16-2002

Hi

I hope you can help .... I tried your example, spoke were to dial into virtual-template 1 and TA's into virtual-template 2. But what happened is that the TA's alway dialled into template 1. I changed the virtual-profile virtual-template 2 command aswell but no joy.

Any suggestions would be appreciated as I really could do with spoke routers and TA users coming in on seperate templates.

Best regards

4brown · ‎12-16-2002

Are you using V.120?

4brown · ‎12-16-2002

Try this:

aaa authentication ppp AUTHEN if-needed radius

aaa authorization network ISDN radius if-authenticated

vty-async

vty-async ppp authentication chap pap AUTHEN

vty-async virtual-template 2

interface Virtual-Template2

ppp authentication chap pap callin AUTHEN

ppp authorization ISDN

karl.jones · ‎12-16-2002

Hi

No v120 just sync ppp on the TA's, authenticating to the Radius server, and spokes will be using a local usernames and passwords on the NAS (shared password).

Thanks for your post

Is your last post still the way to go

Many thanks for your time

Best regards

4brown · ‎12-16-2002

Just disregard the vty async commands, the list method should work.

Thanks