Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
525
Views
0
Helpful
4
Replies

ISDN Dial Backup to an interface being used to authenticate with radius

1mjones
Level 1
Level 1

‎01-27-2003 03:44 PM - edited ‎03-02-2019 04:34 AM

I'm trying to setup isdn dial backup (from a field office) to an isdn line on our local router (both 3640's).

The local router is already being used for remote access (isdn incoming-voice modem) and uses aaa authentication ppp radius for dial-up users to authenticate.

I want to use the same isdn line that the dial-up users use for isdn dial backup from our field office.

Can someone help me understand how to have the local isdn interface authenticate the filed office router with chap, but still retain radius authentication for dial-up users?

Thanks,

-----Mike

Labels:
0 Helpful
4 Replies 4

tepatel
Cisco Employee
Cisco Employee

‎01-28-2003 11:14 AM

I assume that when primary link fails, the remote office router using isdn line will dialin to Local office router which had isdn line as well..right?

First you need to decide which backup scheme will be the best suited..Following link will help

http://www.cisco.com/warp/public/123/backup-main.html

That link also has sample configs for each scheme.

Now for authentication, you want the remote router authenticated locally (not against radius) on Local router? OR against the radius?

If you want to authenticate remote router locally, just create different aaa scheme for that and assign it under the interface like following on local router.

aaa authentication ppp backup local

interface bri0

ppp authentication chap backup

0 Helpful

1mjones
Level 1
Level 1
In response to tepatel

‎01-28-2003 03:05 PM

So if I would like the remote office router to authenticate locally given the above commands, would it cause the existing radius authentication to fail?

Thanks, ---Mike

0 Helpful

tepatel
Cisco Employee
Cisco Employee
In response to 1mjones

‎01-28-2003 06:35 PM

It will fail If you want to terminate the remote office router and all the other users on the same inteface. You need to have following aaa config to terminate both type of users on the same interface (like interface bri x)

aaa authentication ppp backup-rest local group radius

inteface bri x

ppp authentication chap backup-rest

With above aaa scheme, when the users dialin, router will check the local database for authentiction, if no username found in the local database, it will contact radius server after that.

So you need to configure usename/password for remote router in local database so when it dials in, it will be authenticated locally as its username/password is in the local database. For rest of the users the radius server will be contacted.

0 Helpful

1mjones
Level 1
Level 1
In response to tepatel

‎01-29-2003 10:57 AM

What about doing authentication the other way around? would that be possible? ie; have the dialup users authenticate first to radius server since this would be the first priority and also have the remote router dial into the same interface, not be able to authenticate to radius server, then use chap for authentication?

Thanks! ---Mike

0 Helpful
Top