Cisco configurations

Large Scale Dialout With TACACS+

Introduction

Large scale dialout eliminates the need to configure dialer maps on every network access server for every destination. Instead, you create remote site profiles containing outgoing call attributes (telephone number, service type, and so on) on the AAA server. The profile is downloaded by the network access server when packet traffic requires a call to be placed to a remote site.

Prerequisites:

  • IOS 12.0(3)T or higher on the access-server
  • CiscoSecure ACS

    Network Topology


    CiscoSecure ACS setup

    First you'll have to create an outbound service under 'interface configuration':


    You have to create three user profiles:

  • amslab-5300a-1, for downloading route-information to your access-server.
  • Cisco1720-out, for outbound connectivity to the Cisco1720 router.
  • Cisco1720, profile which contains the 'normal' username+password.

    User amslab-5300a-1 setup




    User Cisco1720-out setup



    User Cisco1720 setup



    AS5300 Configuration

    amslab-5300a#wr te
    Building configuration...
    
    Current configuration : 1567 bytes
    !
    version 12.1
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname amslab-5300a
    !
    aaa new-model
    aaa authentication ppp default group tacacs+
    aaa authorization network default group tacacs+
    aaa authorization configuration default group tacacs+
    aaa route download 10
    enable secret 5 $1$67c8$auILc0ZyVGcT.38hcrWWv0
    !
    spe 1/0 1/9
     firmware location flash:mica-modem-pw.2.7.2.0.bin
    !
    ip subnet-zero
    no ip domain-lookup
    !
    isdn switch-type primary-net5
    !
    controller E1 0
     framing NO-CRC4
     clock source line primary
     pri-group timeslots 1-31
    !
    interface Ethernet0
     ip address 10.1.1.20 255.255.255.0
    !
    interface Serial0:15
     no ip address
     encapsulation ppp
     dialer rotary-group 0
     isdn switch-type primary-net5
    !
    interface Dialer0
     ip address 10.1.2.1 255.255.255.0
     encapsulation ppp
     dialer in-band
     dialer aaa
     dialer-group 1
     ppp authentication chap
    !
    router eigrp 15
     redistribute connected
     redistribute static
     network 10.1.1.0 0.0.0.255
    !
    ip classless
    no ip http server
    !
    dialer-list 1 protocol ip permit
    tacacs-server host 10.1.1.50
    tacacs-server timeout 30
    tacacs-server key cisco
    !
    !
    line con 0
     transport input none
    line 1 60
    line aux 0
    line vty 0 4
     password cisco
    !
    end
    

    Cisco 1720 Configuration

    Cisco1720#wr te
    Building configuration...
    
    Current configuration:
    !
    version 12.1
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Cisco1720
    !
    enable secret 5 $1$53vb$gLRZ4MPZBBdJQtDXgnwh8.
    !
    username amslab-5300a password 0 cisco
    !
    ip subnet-zero
    !
    isdn switch-type basic-net3
    !
    interface BRI0
     no ip address
     dialer pool-member 1
     isdn switch-type basic-net3
    !
    interface FastEthernet0
     ip address 10.1.3.1 255.255.255.0
     no keepalive
     speed auto
    !
    interface Dialer0
     ip address 10.1.2.2 255.255.255.0
     encapsulation ppp
     dialer pool 1
     dialer string 384200
     dialer-group 1
     no cdp enable
     ppp authentication chap
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.1.2.1
    no ip http server
    !
    dialer-list 1 protocol ip permit
    no cdp run
    !
    line con 0
     transport input none
    line aux 0
    line vty 0 4
     password cisco
     login
    !
    

    Check that the AS5300 received routes from CiscoSecure

    amslab-5300a#sh debug
    General OS:
      AAA Authentication debugging is on
      AAA Authorization debugging is on
    amslab-5300a#
    02:31:43: AAA: parse name= idb type=-1 tty=-1
    02:31:43: AAA/MEMORY: create_user (0x61CCF2EC) user='' ruser='' port='' rem_addr='' authen_type=NONE service=LOGIN priv=0
    02:31:43: unknown AAA/AUTHOR/CONFIG (732221923): Port='' list='default' service=unknown
    02:31:43: AAA/AUTHOR/CONFIG: unknown (732221923) user='amslab-5300a-1'
    02:31:43: unknown AAA/AUTHOR/CONFIG (732221923): send AV service=ppp
    02:31:43: unknown AAA/AUTHOR/CONFIG (732221923): send AV protocol=ip
    02:31:43: unknown AAA/AUTHOR/CONFIG (732221923): found list "default"
    02:31:43: unknown AAA/AUTHOR/CONFIG (732221923): Method=tacacs+ (tacacs+)
    02:31:43: AAA/AUTHOR/TAC+: (732221923): user=amslab-5300a-1
    02:31:43: AAA/AUTHOR/TAC+: (732221923): send AV service=ppp
    02:31:43: AAA/AUTHOR/TAC+: (732221923): send AV protocol=ip
    02:31:43: TAC+: (732221923): received author response status = PASS_ADD
    02:31:43: AAA/AUTHOR (732221923): Post authorization status = PASS_ADD
    02:31:43: AAA/AUTHOR/CONFIG: Processing AV service=ppp
    02:31:43: AAA/AUTHOR/CONFIG: Processing AV protocol=ip
    02:31:43: AAA/AUTHOR/CONFIG: Processing AV route#1=10.1.2.2 255.255.255.255 dialer 0 name Cisco1720
    02:31:43: AAA/AUTHOR/CONFIG: Parse 'ip route 10.1.2.2 255.255.255.255 dialer 0 name Cisco1720'
    02:31:43: AAA/AUTHOR/CONFIG: Parse returned ok (0)
    02:31:43: AAA/AUTHOR/CONFIG: Processing AV route#2=10.1.3.0 255.255.255.0 10.1.2.2
    02:31:43: AAA/AUTHOR/CONFIG: Parse 'ip route 10.1.3.0 255.255.255.0 10.1.2.2'
    02:31:43: AAA/AUTHOR/CONFIG: Parse returned ok (0)
    
    amslab-5300a#sh ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    
    Gateway of last resort is 10.1.1.254 to network 0.0.0.0
    
         10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
    P       10.1.3.0/24 [1/0] via 10.1.2.2
    C       10.1.2.0/24 is directly connected, Dialer0
    C       10.1.1.0/24 is directly connected, Ethernet0
    P       10.1.2.2/32 is directly connected, Dialer0
    D*EX 0.0.0.0/0 [170/46251776] via 10.1.1.254, 00:24:20, Ethernet0
    amslab-5300a#
    

    Now check connectivity to the Cisco1720

    amslab-5300a#sh debug
    General OS:
      AAA Authentication debugging is on
      AAA Authorization debugging is on
    amslab-5300a#ping 10.1.3.1
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds:
    
    02:33:19: AAA: parse name=Dialer0 idb type=-1 tty=-1
    02:33:19: AAA: name=Dialer0 flags=0x11 type=6 shelf=0 slot=0 adapter=0 port=0 channel=0
    02:33:19: AAA: parse name= idb type=-1 tty=-1
    02:33:19: AAA/MEMORY: create_user (0x61CCF2EC) user='Cisco1720-out' ruser='' port='Dialer0' rem_addr='Dial out' authen_type=NONE service=LOGIN priv=0
    02:33:19: Di0 AAA/AUTHOR/DIALOUT (1370146145): Port='Dialer0' list='default' service=unknown
    02:33:19: AAA/AUTHOR/DIALOUT: Di0 (1370146145) user='Cisco1720-out'
    02:33:19: Di0 AAA/AUTHOR/DIALOUT (1370146145): send AV service=outbound
    02:33:19: Di0 AAA/AUTHOR/DIALOUT (1370146145): send AV protocol=ip
    02:33:19: Di0 AAA/AUTHOR/DIALOUT (1370146145): found list "default"
    02:33:19: Di0 AAA/AUTHOR/DIALOUT (1370146145): Method=tacacs+ (tacacs+)
    02:33:19: AAA/AUTHOR/TAC+: (1370146145): user=Cisco1720-out
    02:33:19: AAA/AUTHOR/TAC+: (1370146145): send AV service=outbound
    02:33:19: AAA/AUTHOR/TAC+: (1370146145): send AV protocol=ip
    02:33:19: TAC+: (1370146145): received author response status = PASS_ADD
    02:33:19: Di0 AAA/AUTHOR (1370146145): Post authorization status = PASS_ADD
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: Processing AV service=outbound
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: Processing AV protocol=ip
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: Processing AV send-auth=2
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: Processing AV send-secret=cisco
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: Processing AV dial-number=384000
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: Processing AV addr=10.1.2.2
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: Authorization succeeded
    02:33:19: Di0 AAA/AUTHOR/DIALOUT: truncating '-out' suffix, user now is 'Cisco1720'
    02:33:19: %LSDialout: temporary debug to verify the data integrity
    02:33:19:       dial number = 384000
    02:33:19:       dialnum_count = 1
    02:33:19:       force_56 = 0
    02:33:19:       routing = 0
    02:33:19:       data_svc = -1
    02:33:19:       port_type = -1
    02:33:19:       map_class =
    02:33:19:       ip_address = 10.1.2.2
    0.2:33:19:      send_secret = cisco
    02:33:19:       send_auth = 2
    02:33:20: %LINK-3-UPDOWN: Interface Serial0:30, changed state to up
    02:33:20: Se0:30 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
    02:33:20: AAA: parse name=Serial0:30 idb type=13 tty=-1
    02:33:20: AAA: name=Serial0:30 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=30
    02:33:20: AAA: parse name= idb type=-1 tty=-1
    02:33:20: AAA/MEMORY: create_user (0x6198D654) user='Cisco1720' ruser='' port='Serial0:30' rem_addr='384000/384000' authen_type=CHAP service=PPP priv=1
    02:33:20: AAA/AUTHEN/START (2324475641): port='Serial0:30' list='' action=SENDAUTH service=PPP
    02:33:20: AAA/AUTHEN/START (2324475641): using "default" list
    02:33:20: AAA/AUTHEN/START (2324475641): Method=tacacs+ (tacacs+)
    02:33:20: AAA/AUTHEN/SENDAUTH (2324475641): found cached secret for Cisco1720
    02:33:20: AAA/AUTHEN (2324475641): status = PASS
    02:33:20: AAA/MEMORY: free_user (0x6198D654) user='Cisco1720' ruser='' port='Serial0:30' rem_addr='384000/384000' authen_type=CHAP service=PPP priv=1
    02:33:20: AAA: parse name=Serial0:30 idb type=13 tty=-1
    02:33:20: AAA: name=Serial0:30 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=30
    02:33:20: AAA: parse name= idb type=-1 tty=-1
    02:33:20: AAA/MEMORY: create_user (0x61DE217C) user='Cisco1720' ruser='' port='Serial0:30' rem_addr='384000/384000' authen_type=CHAP service=PPP priv=1
    02:33:20: AAA/AUTHEN/START (1910361930): port='Serial0:30' list='' action=LOGIN service=PPP
    02:33:20: AAA/AUTHEN/START (1910361930): using "default" list
    02:33:20: AAA/AUTHEN/START (1910361930): Method=tacacs+ (tacacs+)
    02:33:20: TAC+: send AUTHEN/START packet ver=193 id=1910361930
    02:33:20: TAC+: ver=193 id=1910361930 received AUTHEN status = PASS
    02:33:20: AAA/AUTHEN (1910361930): status = PASS
    02:33:20: Se0:30 AAA/AUTHOR/LCP: Authorize LCP
    02:33:20: Se0:30 AAA/AUTHOR/LCP (2447205102): Port='Seria.l0:30' list='' service=NET
    02:33:20: AAA/AUTHOR/LCP: Se0:30 (2447205102) user='Cisco1720'
    02:33:20: Se0:30 AAA/AUTHOR/LCP (2447205102): send AV service=ppp
    02:33:20: Se0:30 AAA/AUTHOR/LCP (2447205102): send AV protocol=lcp
    02:33:20: Se0:30 AAA/AUTHOR/LCP (2447205102): found list "default"
    02:33:20: Se0:30 AAA/AUTHOR/LCP (2447205102): Method=tacacs+ (tacacs+)
    02:33:20: AAA/AUTHOR/TAC+: (2447205102): user=Cisco1720
    02:33:20: AAA/AUTHOR/TAC+: (2447205102): send AV service=ppp
    02:33:20: AAA/AUTHOR/TAC+: (2447205102): send AV protocol=lcp
    02:33:21: TAC+: (2447205102): received author response status = PASS_ADD
    02:33:21: Se0:30 AAA/AUTHOR (2447205102): Post authorization status = PASS_ADD
    02:33:21: Se0:30 AAA/AUTHOR/FSM: (0): Can we start IPCP?
    02:33:21: Se0:30 AAA/AUTHOR/FSM (4210779747): Port='Serial0:30' list='' service=NET
    02:33:21: AAA/AUTHOR/FSM: Se0:30 (4210779747) user='Cisco1720'
    02:33:21: Se0:30 AAA/AUTHOR/FSM (4210779747): send AV service=ppp
    02:33:21: Se0:30 AAA/AUTHOR/FSM (4210779747): send AV protocol=ip
    02:33:21: Se0:30 AAA/AUTHOR/FSM (4210779747): found list "default"
    02:33:21: Se0:30 AAA/AUTHOR/FSM (4210779747): Method=tacacs+ (tacacs+)
    02:33:21: AAA/AUTHOR/TAC+: (4210779747): user=Cisco1720
    02:33:21: AAA/AUTHOR/TAC+: (4210779747): send AV service=ppp
    02:33:21: AAA/AUTHOR/TAC+: (4210779747): send AV protocol=ip
    02:33:21: TAC+: (4210779747): received author response status = PASS_ADD
    02:33:21: Se0:30 AAA/AUTHOR (4210779747): Post authorization status = PASS_ADD
    02:33:21: Se0:30 AAA/AUTHOR/FSM: We can start IPCP
    02:33:21: Se0:30 AAA/AUTHOR/FSM: (0): Can we start CDPCP?
    02:33:21: Se0:30 AAA/AUTHOR/FSM (1824258198): Port='Serial0:30' list='' service=NET
    02:33:21: AAA/AUTHOR/FSM: Se0:30 (1824258198) user='Cisco1720'
    02:33:21: Se0:30 AAA/AUTHOR/FSM (1824258198): send AV service=ppp
    02:33:21: Se0:30 AAA/AUTHOR/FSM (1824258198): send AV protocol=cdp
    02:33:21: Se.!!
    Success rate is 40 percent (2/5), round-trip min/avg/max = 28/30/32 ms
    amslab-5300a#0:30 AAA/AUTHOR/FSM (1824258198): found list "default"
    02:33:21: Se0:30 AAA/AUTHOR/FSM (1824258198): Method=tacacs+ (tacacs+)
    02:33:21: AAA/AUTHOR/TAC+: (1824258198): user=Cisco1720
    02:33:21: AAA/AUTHOR/TAC+: (1824258198): send AV service=ppp
    02:33:21: AAA/AUTHOR/TAC+: (1824258198): send AV protocol=cdp
    02:33:21: TAC+: (1824258198): received author response status = FAIL
    02:33:21: Se0:30 AAA/AUTHOR (1824258198): Post authorization status = FAIL
    02:33:21: Se0:30 AAA/AUTHOR/FSM: We cannot start CDPCP
    02:33:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:30, changed state to up
    02:33:23: Se0:30 AAA/AUTHOR/IPCP: Start.  Her address 10.1.2.2, we want 10.1.2.2
    02:33:23: Se0:30 AAA/AUTHOR/IPCP (283772831): Port='Serial0:30' list='' service=NET
    02:33:23: AAA/AUTHOR/IPCP: Se0:30 (283772831) user='Cisco1720'
    02:33:23: Se0:30 AAA/AUTHOR/IPCP (283772831): send AV service=ppp
    02:33:23: Se0:30 AAA/AUTHOR/IPCP (283772831): send AV protocol=ip
    02:33:23: Se0:30 AAA/AUTHOR/IPCP (283772831): send AV addr*10.1.2.2
    02:33:23: Se0:30 AAA/AUTHOR/IPCP (283772831): found list "default"
    02:33:23: Se0:30 AAA/AUTHOR/IPCP (283772831): Method=tacacs+ (tacacs+)
    02:33:23: AAA/AUTHOR/TAC+: (283772831): user=Cisco1720
    02:33:23: AAA/AUTHOR/TAC+: (283772831): send AV service=ppp
    02:33:23: AAA/AUTHOR/TAC+: (283772831): send AV protocol=ip
    02:33:23: AAA/AUTHOR/TAC+: (283772831): send AV addr*10.1.2.2
    02:33:23: TAC+: (283772831): received author response status = PASS_ADD
    02:33:23: Se0:30 AAA/AUTHOR (283772831): Post authorization status = PASS_ADD
    02:33:23: Se0:30 AAA/AUTHOR/IPCP: Processing AV service=ppp
    02:33:23: Se0:30 AAA/AUTHOR/IPCP: Processing AV protocol=ip
    02:33:23: Se0:30 AAA/AUTHOR/IPCP: Processing AV addr*10.1.2.2
    02:33:23: Se0:30 AAA/AUTHOR/IPCP: Authorization succeeded
    02:33:23: Se0:30 AAA/AUTHOR/IPCP: Done.  Her address 10.1.2.2, we want 10.1.2.2
    02:33:26: %ISDN-6-CONNECT: Interface Serial0:30 is now connected to 384000 Cisco1720
    amslab-5300a#
    

    Adding more remote destinations

    Adding more destinations is fairly easy, you just add more user-profiles in CiscoSecure. In this case it might be something like:

  • amslab-5300b-2
  • Cisco1721-out
  • Cisco1721