Re: Radius Authentication on 3800 Series Router

From: Noel Debouver III (noeldebouveriii@yahoo.com)
Date: Wed Jan 03 2007 - 21:35:35 ART


Try this on for size. Fill in the blanks.

Real Life Solution (sanitized):
!
username XXX password XXX
username XXX password XXX
username XXX password
XXX
clock timezone XXX
clock summer-time XXX recurring
aaa new-model
!
aaa
authentication login default group radius local
aaa authentication login
userauthen group radius
aaa authentication enable default none
aaa
authorization exec default group radius local
aaa authorization network
groupauthor local
aaa accounting network acct_methods start-stop group radius
aaa session-id common
ip subnet-zero
!
ip domain name XXX
ip name-server
x.x.x.x
ip name-server x.x.x.x
!
crypto isakmp policy 3
 encr 3des
authentication pre-share
 group 2
crypto isakmp key XXX address x.x.x.x
no-xauth
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration
group XXX
 key XXX
 dns x.x.x.x x.x.x.x
 wins x.x.x.x x.x.x.x
 domain XXX
pool XXX
 acl XXX
 access-restrict vlan1
 split-dns XXX
 netmask x.x.x.x
!
crypto ipsec transform-set XXX esp-3des esp-sha-hmac
crypto ipsec
transform-set XXX esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set
transform-set XXX
!
crypto map clientmap client authentication list XXX
crypto map clientmap isakmp authorization list XXX
crypto map clientmap client
configuration address initiate
crypto map clientmap client configuration
address respond
crypto map clientmap 2 ipsec-isakmp
 set peer x.x.x.x
 set
transform-set XXX
  match address XXX
crypto map clientmap 10 ipsec-isakmp
dynamic dynmap
!
interface Loopback0
 ip address x.x.x.x x.x.x.x
!
interface
Loopback1
 ip address x.x.x.x x.x.x.x
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 no ip address
 no cdp enable!
!
interface
FastEthernet0/1
 no ip address
 no cdp enable
!
interface vlan1
 ip address
x.x.x.x x.x.x.x
 ip nat outside
 ip virtual-reassembly
 ip policy route-map
XXX
 no cdp enable
 crypto map clientmap
 hold-queue 32 in
 !
ip local pool
XXX x.x.x.x x.x.x.x
ip route x.x.x.x x.x.x.x x.x.x.x
!
ip nat inside source
list XXX interface Vlan1 overload
!
ip access-list extended XXX
ip access-list
extended XXX
ip access-list extended XXX
ip access-list extended XXX
ip
access-list extended XXX
ip access-list extended XXX
ip access-list extended
XXX
ip access-list extended XXX
ip access-list extended XXX
 permit ip x.x.x.x
x.x.x.x any
 permit ip x.x.x.x x.x.x.x any
 permit ip x.x.x.x x.x.x.x any
ip access-list extended XXX
 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
 permit
ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
 permit ip x.x.x.x x.x.x.x x.x.x.x
x.x.x.x
 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
ip access-list extended XXX
permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
 permit ip x.x.x.x x.x.x.x x.x.x.x
x.x.x.x
 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
ip access-list extended
XXX
 permit ip host x.x.x.x host x.x.x.x
 permit ip host x.x.x.x host x.x.x.x
permit ip host x.x.x.x host x.x.x.x
 permit ip host x.x.x.x host x.x.x.x
permit ip host x.x.x.x host x.x.x.x
ip access-list standard XXX
 permit
x.x.x.x x.x.x.x
 permit x.x.x.x x.x.x.x
 permit x.x.x.x x.x.x.x
ip access-list
extended XXX
ip radius source-interface Loopback0
!
route-map XXX permit 10
match ip address XXX
 set interface XXX
!
radius-server attribute 6
on-for-login-auth
radius-server dead-criteria tries 2
radius-server host
x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port
1645 acct-port 1646
radius-server retransmit 5
radius-server timeout 15
radius-server deadtime 5
radius-server key CCIE
radius-server vsa send
accounting
radius-server vsa send authentication
!



This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART