Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISDN dialup authentication

Hi All

Is there a way to have users that dial into an ISDN router authenticated, other than to have the usernames and passwords configured on the router itself?

I've got a TACACS+ and a Radius server that can do authentication, but for some reason the ISDN dialup service still prefers the router's usernames and passwords.

The reason I want to change the authentication method, is for my users to be able to use the Domain usernames and password to authenticate - this is a little less confusing for them. My Radius server (Win2K IAS) supports domain authentication...

Any input would be appreciated!

Regards

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ISDN dialup authentication

Hi,

You can do this.

int bri 0/0

ppp chap authentication

OR

ppp pap authentication

LIST NAME = the list created using AAA commands, which will specify which protocol to be used.

aaa new-model ---- enabled AAA

aaa authentication login group tacacs+ radius

tacacs-server host

tacacs-server key

radius-server host

radius-server key

The above config would help in authenticating remote site authentication via ISDN with a ACS server.

4 REPLIES
New Member

Re: ISDN dialup authentication

Hi,

Ofcourse you can authenticate your users through domainnames!

You can make use of CiscoSecure ACS (installed on a W2k server), a TACACS+ based application with the capability to authenticate users from your domain.

Furthermore, when a user wants to login and the ISDN router recognizes the username, then the ISDN router will take precedence. If not, then the CiscoSecure application will step in.

The Cisco site can tell you everything you want to know about CiscoSecure.

I hope I´ve put you on the right track....

Martin Dekker

Netherlands.

New Member

Re: ISDN dialup authentication

I do agree with your method, but wouldn't it be more effecient to build the +TACACS server with the Cisco secure ACS function software and also add the user communities to specific ISDN rotary dialer groups and configure the ISDN router to foward traffic to the authenticating server(s)

She would also have to create access-list filters on the router and delegate authentication and also revoke authentication based on the user community policies.

Re: ISDN dialup authentication

Hi,

You can do this.

int bri 0/0

ppp chap authentication

OR

ppp pap authentication

LIST NAME = the list created using AAA commands, which will specify which protocol to be used.

aaa new-model ---- enabled AAA

aaa authentication login group tacacs+ radius

tacacs-server host

tacacs-server key

radius-server host

radius-server key

The above config would help in authenticating remote site authentication via ISDN with a ACS server.

New Member

Re: ISDN dialup authentication

The engineer would also have to add routes or static routes or add the +TACACS server to the route table list. Unless they will be directly connected.

Would the PAP and CHAP authentication work on a single user? Is that command used for the PPP standard?

What if the person has more than one server, what if there is a cluster of servers? Would they have to to create numerous user keys for each server.

I think the original question is a pretty vague one--there is no real assesment of the topology to assert any concrete configurations.

But to answer the question of will it work,yes, but it depends on how the engineer wants to use the configuration.

131
Views
0
Helpful
4
Replies
CreatePlease to create content