ISDN backup to PRI with dial back authentication

bobd · ‎11-06-2002

I've got a customer using a 3660 connecting to 11 sites using a combination of point to point and frame-relay connections. Each of the remote sites has a router installed with a WIC-T1, and an ISDN module to be used for backup.

My goal is to have the remote site dial the PRI plugged into the NM-1CT1 channelized PRI network module of the 3660 when it's primary WAN connection fails, and then have the 3660 initiate a call back to the remote site for security purposes. We need to run 3DES across this as well.

If anyone has seen a config similar to this on CCO, or happened to have done something similar themselves your input would be appreciated.

Bob

thisisshanky · ‎11-06-2002

On the PRI side,

username Remote1 password cisco

username Remote2 password cisco

username Remote3 password cisco

username Remote4 password cisco

controller T1 0

framing esf

clock source line primary

linecode b8zs

pri-group timeslots 1-24

interface Serial0:23

ip unnumbered fa0/0 - this will save you ip address

encapsulation ppp

no ip route-cache

dialer idle-timeout 3600

dialer-group 1

isdn switch-type <>i

isdn incoming-voice modem

ppp callback accept --------------- This accepts a callback request

ppp authentication chap

ppp chap hostname HQ

ppp chap password xxx

ppp multilink

On the remote side.

username HQ password xxx

interface BRI0

ip unnumbered Ethernet0 - this will save you ip addresses

no ip directed-broadcast

encapsulation ppp

isdn spid1

isdn spid2

dialer idle-timeout xxx - set to a higher value

dialer string

dialer-group 1

ppp callback request ---- requests callback.

ppp authentication chap

ppp chap hostname Remote1

ppp chap password cisco

ip route 0.0.0.0 0.0.0.0 bri 0/0

Also you can additionally use a routing protocol such as eigrp for routing over FR and ISDN. This might help!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

bobd · ‎11-06-2002

Thanks for the input. It looks easy enough, but how's it going to know which number to call? I've got 11 sites that could be coming in. Does the ppp callback request send this information to the 3660?

I'm running static routes at all locations, so will be using a weighted route for the ISDN connection.

I assume adding encryption will be just a matter of applying the crypto map to the BRI interface at the remotes and all channels of the PRI at the core.

All great info. Thanks for your input!

Bob

thisisshanky · ‎11-06-2002

One way to do it is to use dialer maps for each remote site, with the call back string in it. mapped to the corresponding ip address of the remote site.

Another way to do this is to use, AAA for ISDN authentication, and configure the call back string on the AAA configuration file.

A sample Freeware TACACS+ configuration would look like this,

user = Remote1

{

default service = permit

login = cleartext "cisco" chap = cleartext "cisco"

service = ppp protocol = lcp

{

callback-dialstring = "xxxxxxxxx"

send-secret = "cisco"

}

You can enable ISDN authentication requests to be sent to TACACS or RADIuS server using AAA.

AAA new-model - enables AAA

aaa authentication login ISDN_AUTH group tacacs+

int s0:23

ppp authentication chap ISDN_AUTH

tacacs-server host

tacacs-server key

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

bobd · ‎11-06-2002

If I setup the dialer map, I still don't think I will have any way of knowing who is dialing in initially. To keep authentication local to the router though, I did a little digging and camp up with the commands...

user callback-dialstring

user callback-line or

user callback-rotary

I'm thinking that I should be able to use some combination of these commands to get my dial-back talking to the correct router and using the PRI for the outbound calls. I've not used these particular switches on the user command though and don't know if they would really work for what I want. I'll do a little more digging on my end to see if their use here would be appropriate, and any input you might have would be appreciated as well.