12-04-2002 07:20 AM - edited 03-10-2019 07:04 AM
Hi All
I have a NAS which will be using dialler profiles along with a virtual template. What I would ideally like is 2 virtual templates on the same router .... one for spoke routers dialling in for which no per user dialler is available and a seperate one for , perhaps virtual-template 2 for ISDN TA users dialling in. I have seen somewhere that it may be possibe through the cisco secure acs point diallin users through to a specific virtual template.
Any advice would be greatly appreciated.
12-04-2002 08:24 AM
If you want to use 2 separate methods for dialin clients on virtual templates, you can create 2 separate lists for network authorization like:
aaa authorization network SPOKE if-authenticated radius
aaa authorization network TA radius if-authenticated
interface Virtual-Template1
ppp authorization SPOKE
interface Virtual-Template2
ppp authorization TA
If needed, you could do the same for authentication.
There are probably some examples of this if you searched on virtual-template on CCO.
Hope this helps.
12-07-2002 11:17 AM
Hi
Thanks for reply .... sorry I am quite new to this ... and will check out examples of this on the web.
Just a couple of Q's .... how does the router know whether the call is coming in from a TA or a spoke router, do I need to specify anything on the ACS and also, silly Q but what is the if-authenticated for?
Many thanks for again for reply
Regards
12-09-2002 09:35 AM
This is done through using two separate lists for authentication/authorization like in the example I mentioned earlier. If using v.120 you would use this command:
vty-async virtual-template 2
If your question related to how it determines a call type and where to terminate it, this is all part of the ISDN Q931 bearer cap information.
"if-authenticated" verifies you are succefully authenticated before performing authorization.
Thanks
12-10-2002 02:59 AM
Thanks for reply
I will give this a try
12-16-2002 12:17 PM
Hi
I hope you can help .... I tried your example, spoke were to dial into virtual-template 1 and TA's into virtual-template 2. But what happened is that the TA's alway dialled into template 1. I changed the virtual-profile virtual-template 2 command aswell but no joy.
Any suggestions would be appreciated as I really could do with spoke routers and TA users coming in on seperate templates.
Best regards
12-16-2002 12:30 PM
Are you using V.120?
12-16-2002 01:55 PM
Try this:
aaa authentication ppp AUTHEN if-needed radius
aaa authorization network ISDN radius if-authenticated
vty-async
vty-async ppp authentication chap pap AUTHEN
vty-async virtual-template 2
interface Virtual-Template2
ppp authentication chap pap callin AUTHEN
ppp authorization ISDN
12-16-2002 03:36 PM
Hi
No v120 just sync ppp on the TA's, authenticating to the Radius server, and spokes will be using a local usernames and passwords on the NAS (shared password).
Thanks for your post
Is your last post still the way to go
Many thanks for your time
Best regards
12-16-2002 04:12 PM
Just disregard the vty async commands, the list method should work.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: