cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3092
Views
0
Helpful
9
Replies

2 virtual templates on the same router

karl.jones
Level 1
Level 1

Hi All

I have a NAS which will be using dialler profiles along with a virtual template. What I would ideally like is 2 virtual templates on the same router .... one for spoke routers dialling in for which no per user dialler is available and a seperate one for , perhaps virtual-template 2 for ISDN TA users dialling in. I have seen somewhere that it may be possibe through the cisco secure acs point diallin users through to a specific virtual template.

Any advice would be greatly appreciated.

9 Replies 9

4brown
Level 1
Level 1

If you want to use 2 separate methods for dialin clients on virtual templates, you can create 2 separate lists for network authorization like:

aaa authorization network SPOKE if-authenticated radius

aaa authorization network TA radius if-authenticated

interface Virtual-Template1

ppp authorization SPOKE

interface Virtual-Template2

ppp authorization TA

If needed, you could do the same for authentication.

There are probably some examples of this if you searched on virtual-template on CCO.

Hope this helps.

Hi

Thanks for reply .... sorry I am quite new to this ... and will check out examples of this on the web.

Just a couple of Q's .... how does the router know whether the call is coming in from a TA or a spoke router, do I need to specify anything on the ACS and also, silly Q but what is the if-authenticated for?

Many thanks for again for reply

Regards

This is done through using two separate lists for authentication/authorization like in the example I mentioned earlier. If using v.120 you would use this command:

vty-async virtual-template 2

If your question related to how it determines a call type and where to terminate it, this is all part of the ISDN Q931 bearer cap information.

"if-authenticated" verifies you are succefully authenticated before performing authorization.

Thanks

Thanks for reply

I will give this a try

Hi

I hope you can help .... I tried your example, spoke were to dial into virtual-template 1 and TA's into virtual-template 2. But what happened is that the TA's alway dialled into template 1. I changed the virtual-profile virtual-template 2 command aswell but no joy.

Any suggestions would be appreciated as I really could do with spoke routers and TA users coming in on seperate templates.

Best regards

Are you using V.120?

Try this:

aaa authentication ppp AUTHEN if-needed radius

aaa authorization network ISDN radius if-authenticated

vty-async

vty-async ppp authentication chap pap AUTHEN

vty-async virtual-template 2

interface Virtual-Template2

ppp authentication chap pap callin AUTHEN

ppp authorization ISDN

Hi

No v120 just sync ppp on the TA's, authenticating to the Radius server, and spokes will be using a local usernames and passwords on the NAS (shared password).

Thanks for your post

Is your last post still the way to go

Many thanks for your time

Best regards

Just disregard the vty async commands, the list method should work.

Thanks