Table Of Contents
Shell-Based Authentication of VPDN Users
aaa dnis map authentication group
Shell-Based Authentication of VPDN Users
The Shell-Based Authentication of VPDN Users feature allows the network access server (NAS) and tunnel server to be configured to perform shell-based authentication of virtual private dialup network (VPDN) users. Shell-based authentication of VPDN users provides terminal services (shell login or exec login) for VPDN users to support rollout of wholesale dial networks. Authentication of users occurs via shell or exec login at the NAS before PPP starts and the tunnel is established.
A character-mode login dialog is provided before PPP starts, and the login dialog supports schemes such as token-card synchronization and initialization, and challenge-based password. After a user is authenticated in this way, the connection changes from character mode to PPP mode to connect the user to the desired destination. The authentication, authorization, and accounting (AAA) server that authenticates the login user can be selected based on the Dialed Number Identification Service (DNIS) or the domain-name part of the username.
VPDN profiles can be kept by a Resource Pool Manager Server (RPMS), or RADIUS-based AAA server, or on the NAS.
Configuration Information
Configuration information is included in the "Configuring AAA for VPDNs" module in the Cisco IOS VPDN Configuration Guide, Release 12.4T, at the following URL:
•http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcg/tvpdn_c/vpc2auht.htm
Command Reference
This section documents modified commands.
•aaa dnis map authentication group
aaa dnis map authentication group
To map a dialed number identification service (DNIS) number to a particular authentication server group (this server group will be used for authentication, authorization, and accounting [AAA] authentication), use the aaa dnis map authentication group command in AAA-server-group configuration mode. To remove the DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number authentication {ppp | login} group server-group-name
no aaa dnis map dnis-number authentication {ppp | login} group server-group-name
Syntax Description
Command Default
A DNIS number is not mapped to a server group.
Command Modes
AAA-server-group configuration
Command History
Usage Guidelines
Use the aaa dnis map authentication group command to assign a DNIS number to a particular AAA server group so that the server group can process authentication requests for users that are dialing in to the network using that particular DNIS. To use the aaa dnis map authentication group command, you must first enable AAA, define a AAA server group, and enable DNIS mapping.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 uses RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS number 7777.
aaa new-modelradius-server host 172.30.0.0 auth-port 1645 key cisco1aaa group server radius group1server 172.30.0.0aaa dnis map enableaaa dnis map 7777 authentication ppp group group1aaa dnis map 7777 authentication login group group1Related Commands