Solved: 3600/PRI/Digital Modems - Adding new type of caller

mromer · ‎04-02-2004

We have a 3640 with a T-1 PRI interface and a bank of 24 digital modems. Currently there is a single DID number assigned to the PRI trunk group. That number is used by my company's employees to establish PPP connections to the router and gain access to our network and/or the Internet.

We will be hosting another company's FTP server on our network. This company also needs a way for some of their customers to use dial-up to access the server.

Is there a way for me to give the other company's customers dial-up access through our 3640 that will give them only access to a single FTP server, while also letting my company's users keep their general access? I can add user accounts, DID's, etc. I need a way to distinguish my users from the other company's customers, and to limit the customers' access.

-Mark Romer

dbellazetin · ‎04-06-2004

Mark,

My thought was to do per user attributes from an AAA server. By doing this you could download ACL's and things like that on a per user basis and that way you could allow access to wherever you want. You can do this with Cisco Secure ACS, I'm not sure about Microsoft IAS. This type of solution would only need configuration on the RADIUS Server.

Another option is configuring a Virtual Template for your users, and a dialer profile for each user from the other company. This is a fairly straight forward configuration, and would be a good solution for you if there aren't to many users from the other company.

Heres an example w/explaination on how it works.

!

virtual-profile virtual-template 1

!

interface virtual-template 1

ip unnumbered loopback0

peer default ip address pool remoteusers

ppp timeout idle 1200

ppp authentication chap pap

!

interface Group-Async1

ip unnumbered Loopback0

encapsulation ppp

no logging event link-status

dialer in-band

dialer pool 1

dialer idle-timeout 1200

dialer-group 1

async dynamic address

async mode interactive

peer default ip address pool remoteusers

ppp authentication chap pap

group-range 65 88

!

interface Dialer1

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Jake

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

interface Dialer2

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Bob

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

interface Dialer3

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Steve

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

access-list 101 |permit:deny| |ip:tcp:udp| x.x.x.x x.x.x.x x.x.x.x x.x.x.x

With the above configuration every one will terminate on the V Template profile, if there username that they provide in response to authentication is NOT found on a dialer interface via the "dialer remote-name" command.

You now have an ACL that you can apply to the dialer interfaces too so you can police traffic.

The only downside to this solution is you need to create a dialer interface for each user from the other company.

In both scenarios you will need to add usernames/passwords to you IAS Server.

Let me know if you have any questions.

Daniel

View solution in original post

dbellazetin · ‎04-05-2004

Mark,

I'm not sure what your configuration/setup is like but you have a few options. They are all pretty detailed so if you want to provide me with a little more information on the topology and configuration of your 3640 I may be able to help.

Dialup configuration from the router would be helpful. Authentication locally or AAA ? Will all the new companies users be calling from the same location ? How many will be calling from the new company total ?

Daniel

mromer · ‎04-06-2004

Our users authenticate via RADIUS (Microsoft Internet Access Service running on our domain controllers). The new companies' customers will be authenticating to the FTP server, so they could all be set up with a single ID/password combo for the dial-up connection.

Here are the relevant bits of the config for the router. The router has only one fast ethernet port, so I am trunking through a switch to provide connectivity to our internal network and the new network for the other company:

aaa new-model

aaa authentication login default group radius local

aaa authentication login dialin group radius

aaa authentication login vty local

aaa authentication login UseNone none

aaa authentication ppp default local group radius

aaa authentication ppp enable group radius

aaa authentication ppp radius group radius

aaa authentication ppp dialin if-needed group radius

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

!

no ip dhcp-client network-discovery

isdn switch-type primary-ni

!

controller T1 1/0

framing esf

linecode b8zs

pri-group timeslots 1-16,24

!

interface Loopback0

ip address 192.168.200.1 255.255.255.0

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.1.7 255.255.255.0

standby 10 ip 192.168.1.5

standby 10 priority 110

standby 10 preempt

!

interface FastEthernet0/0.21

encapsulation dot1Q 21

ip address 172.21.1.3 255.255.255.0

standby 21 ip 172.21.1.1

standby 21 priority 110

standby 21 preempt

!

interface Serial1/0:23

no ip address

isdn switch-type primary-ni

isdn incoming-voice modem

isdn T321 0

isdn T306 30000

isdn T310 10000

no cdp enable

!

interface Group-Async1

ip unnumbered Loopback0

encapsulation ppp

no logging event link-status

dialer in-band

dialer idle-timeout 1200

dialer-group 1

async dynamic address

async mode interactive

peer default ip address pool remoteusers

ppp authentication chap pap

group-range 65 88

!

interface Dialer1

ip unnumbered Loopback0

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

ip local pool remoteusers 192.168.200.50 192.168.200.254

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.4

no ip http server

!

dialer-list 1 protocol ip permit

!

radius-server host 192.168.1.102 auth-port 1645 acct-port 1646

radius-server host 192.168.1.114 auth-port 1645 acct-port 1646

radius-server retransmit 3

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

login authentication vty

line 65 88

modem InOut

transport input all

transport output pad v120 lapb-ta telnet rlogin udptn

autoselect during-login

autoselect ppp

dbellazetin · ‎04-06-2004

Mark,

My thought was to do per user attributes from an AAA server. By doing this you could download ACL's and things like that on a per user basis and that way you could allow access to wherever you want. You can do this with Cisco Secure ACS, I'm not sure about Microsoft IAS. This type of solution would only need configuration on the RADIUS Server.

Another option is configuring a Virtual Template for your users, and a dialer profile for each user from the other company. This is a fairly straight forward configuration, and would be a good solution for you if there aren't to many users from the other company.

Heres an example w/explaination on how it works.

!

virtual-profile virtual-template 1

!

interface virtual-template 1

ip unnumbered loopback0

peer default ip address pool remoteusers

ppp timeout idle 1200

ppp authentication chap pap

!

interface Group-Async1

ip unnumbered Loopback0

encapsulation ppp

no logging event link-status

dialer in-band

dialer pool 1

dialer idle-timeout 1200

dialer-group 1

async dynamic address

async mode interactive

peer default ip address pool remoteusers

ppp authentication chap pap

group-range 65 88

!

interface Dialer1

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Jake

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

interface Dialer2

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Bob

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

interface Dialer3

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Steve

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

access-list 101 |permit:deny| |ip:tcp:udp| x.x.x.x x.x.x.x x.x.x.x x.x.x.x

With the above configuration every one will terminate on the V Template profile, if there username that they provide in response to authentication is NOT found on a dialer interface via the "dialer remote-name" command.

You now have an ACL that you can apply to the dialer interfaces too so you can police traffic.

The only downside to this solution is you need to create a dialer interface for each user from the other company.

In both scenarios you will need to add usernames/passwords to you IAS Server.

Let me know if you have any questions.

Daniel

mromer · ‎04-06-2004

Daniel,

The virtual-template/dialer interface setup might work for me. I can set up a single user/password combo for all the customers to connect with, then they will use their individual FTP accounts to authenticate to the FTP server.

Do I have to set up the user account in IAS, or can I set it up as a local user?

-Mark

dbellazetin · ‎04-06-2004

Mark,

If you fo w/the V Template solution. A dialer interface will only allow one user to be connected at a time, so if you want to have one username/password that everyone can use only one of them will be able to connect at a time.

You could set up the user account in IAS or locally, just depends on how you set up AAA.

Probably be easier for you to just throw it in IAS.

Daniel

mromer · ‎04-19-2004

Daniel,

Thanks for pointing me in the right direction. I did a little research into virtual profiles and per-user configurations, and I was able to make it work just like I wanted it to.

IAS will, in fact, let you put AV pairs into a profile on a remote access policy. I was able to use that to download an ACL for users in a particular Active Directory security group that I set up for the other company's users.

Thanks again for the help!

-Mark

dbellazetin · ‎04-06-2004

Mark,

My thought was to do per user attributes from an AAA server. By doing this you could download ACL's and things like that on a per user basis and that way you could allow access to wherever you want. You can do this with Cisco Secure ACS, I'm not sure about Microsoft IAS. This type of solution would only need configuration on the RADIUS Server.

Another option is configuring a Virtual Template for your users, and a dialer profile for each user from the other company. This is a fairly straight forward configuration, and would be a good solution for you if there aren't to many users from the other company.

Heres an example w/explaination on how it works.

!

virtual-profile virtual-template 1

!

interface virtual-template 1

ip unnumbered loopback0

peer default ip address pool remoteusers

ppp timeout idle 1200

ppp authentication chap pap

!

interface Group-Async1

ip unnumbered Loopback0

encapsulation ppp

no logging event link-status

dialer in-band

dialer pool 1

dialer idle-timeout 1200

dialer-group 1

async dynamic address

async mode interactive

peer default ip address pool remoteusers

ppp authentication chap pap

group-range 65 88

!

interface Dialer1

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Jake

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

interface Dialer2

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Bob

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

interface Dialer3

ip unnumbered Loopback0

ip access-group 101 in

encapsulation ppp

no logging event link-status

dialer pool 1

dialer-group 1

dialer remote-name Steve

peer default ip address pool remoteusers

no cdp enable

ppp authentication chap pap

ppp multilink

!

access-list 101 |permit:deny| |ip:tcp:udp| x.x.x.x x.x.x.x x.x.x.x x.x.x.x

With the above configuration every one will terminate on the V Template profile, if there username that they provide in response to authentication is NOT found on a dialer interface via the "dialer remote-name" command.

You now have an ACL that you can apply to the dialer interfaces too so you can police traffic.

The only downside to this solution is you need to create a dialer interface for each user from the other company.

In both scenarios you will need to add usernames/passwords to you IAS Server.

Let me know if you have any questions.

Daniel