Hello again, Herbert. Yes, I have several dial-in phone numbers, with a modem pool set up for each of the numbers. Users dialing in on some of the numbers are (autocommand) telnetted to a specific host on a specific TCP port without authentication. Users dialing in on other numbers will have to authenticate prior to being (autocommand) telnetted to their host.

I have entered usernames and passwords into the access server config for the users who will be required to authenticate. I have included a sample of each type of modem pool configuration at the bottom of this message.

I'm thinking that if I add the global command "aaa new-model" and the line config command "autoselect during-login" only on the lines I want to have authenticated it will cause users dialing in to those lines to have to authenticate before the autocommand will execute. However, I don't want everyone to have to authenticate.

The documentation on CCO that I've read at(http://www.cisco.com/warp/public/793/access_dial/modem_pooling.html) doesn't seem to support my assumption. Lines 3-5 in this example have only the modem InOut and autocommand statements. But the Introduction to this example states that the users connecting to this pool (3-5) will be autocommand telnetted to a specific host after they authenticate.

Is this documentation incomplete? Or am I missing something?

line 1 3

no motd-banner

no exec-banner

no flush-at-activation

autoselect during-login

no vacant-message

modem Dialin

modem autoconfigure type 1200bps

autocommand telnet HostA /quiet /noecho

transport preferred none

transport input all

transport output pad telnet rlogin udptn

escape-character NONE

no telnet speed 2400 38400

telnet transparent

autohangup

dispatch-timeout 250

line 4 8

no motd-banner

no exec-banner

no flush-at-activation

no vacant-message

modem Dialin

modem autoconfigure type sportster_mod

autocommand telnet HostB /quiet /noecho

transport preferred none

transport input all

transport output pad telnet rlogin udptn

escape-character NONE

telnet transparent

autohangup

dispatch-timeout 250

Regards,

Dan

There are two ways to do authentication with locally defined usernames and passwords:

1/ the 'old model'

line a b

! don't require login

no login

line c d

! use locally defined user & pass

login local

line e f

! use only password (no user) defined on the line

login

password mypass

2/ apply "aaa new-model", define 2 login authentication methods, and apply these to the line groups:

aaa new-model

aaa authentication login NOAUTH none

aaa authentication login USERPASS local

aaa authentication login LINEPASS line

line a b

login authentication NOAUTH

line c d

login authentication USERPASS

line e f

login authentication LINEPASS

Or in a simplified version (perhaps less readable):

aaa new-model

aaa authentication login NOAUTH none

aaa authentication login default local

aaa authentication login LINEPASS line

line a b

login authentication NOAUTH

line c d

! no login statement needed, will use default

line e f

login authentication LINEPASS

Note that this last example requires you to define a method also on the con, aux and vty lines unless you want these to use the default method.

"autoselect during-login" is not applicable here, since it is used only for slip or ppp connections.

Finally if you'll ever want to implement radius, tacacs+ or kerberos authentication you will need to use new-model.

hth

Herbert

Herbert,

Thank you again, my Belgian friend. With your assistance I was able to make the authentication work propoerly . . . so far.

Regards,

Dan

It'a a deal.