Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

one-way aaa & serial "on-demand"

I have the following 2 routers' configurations.

What should i change in order to achieve one-way authentication ?

Let's suppose that router2 is the "client" which "calls" the ISP and router1 is the "ISP".

Router1 should authenticate router2, but not the opposite.

Is there a way i can have a serial connection between these 2 routers using a dialer-on-demand scenario on the 2nd router? That way the serial connection will be up/up only when there is interesting traffic from router2.

router1#

aaa authentication login LOCAL-AAA local

aaa authentication ppp LOCAL-AAA if-needed local

aaa authorization network LOCAL-AAA local

!

username test2 password 0 test

!

interface Serial1

ip address x.x.x.x

encapsulation ppp

ppp authentication chap callin LOCAL-AAA

ppp authorization LOCAL-AAA

ppp chap hostname test1

ppp chap password 0 test

!

router2#

username test1 password 0 test

!

interface Serial0/0

ip address y.y.y.y

encapsulation ppp

ppp authentication chap callin

ppp chap hostname test2

ppp chap password 0 test

!

2 REPLIES
Cisco Employee

Re: one-way aaa & serial "on-demand"

For one way authentication, "ppp authentication chap callin" on router 2 (already there) will do the job. with that command only router 1 will authenticate router 2 but not the reverse. That command with "callin" make the router authenticate to inbound call.

Now for DDR on a leased line, you can configure "interesting traffic" with "idle-timeout" in order to disconnect the line when there is no interesting traffic for idle-timeout.

So add following commands

interface Serial0/0

encapsulation ppp

dialer in-band

dialer-group 1

dialer idle-timeout 600 <---10 mins

and in global config define interesting traffic using

"dialer-list 1 protocol ip permit"

to permit whole ip traffic to be allowed to bring up the line and reset the idle-timeout.

So with above config, the serial line will be disconnected if no ip traffic is passed for 10 mins.

Visit following url for more on that.

http://www.cisco.com/warp/public/471/idle_timeout.html

New Member

Re: one-way aaa & serial "on-demand"

So regarding one-way auth, my config is fine.

Then, why am i still getting "Phase is AUTHENTICATING, by both" ?

How do i define which router calls first?

192
Views
0
Helpful
2
Replies
CreatePlease to create content