Re: Radius Authentication Solution

From: Noel Debouver III (noeldebouveriii@yahoo.com)
Date: Fri Jan 05 2007 - 15:44:41 ART

Try this on for size. Fill in the blanks.

Real Life Solution (sanitized):
!
username XXX password XXX
username XXX password XXX
username XXX password
XXX
clock timezone XXX
clock summer-time XXX recurring
aaa new-model
!
aaa
authentication login default group radius local
aaa authentication login
userauthen group radius
aaa authentication enable default none
aaa
authorization exec default group radius local
aaa authorization network
groupauthor local
aaa accounting network acct_methods start-stop group radius
aaa session-id common
ip subnet-zero
!
ip domain name XXX
ip name-server
x.x.x.x
ip name-server x.x.x.x
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key XXX address x.x.x.x
no-xauth
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration
group XXX
key XXX
dns x.x.x.x x.x.x.x
wins x.x.x.x x.x.x.x
domain XXX
pool XXX
acl XXX
access-restrict vlan1
split-dns XXX
netmask x.x.x.x
!
crypto ipsec
transform-set XXX esp-3des esp-sha-hmac
crypto ipsec
transform-set XXX
esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set
transform-set XXX
!
crypto map clientmap client authentication list XXX
crypto map clientmap
isakmp authorization list XXX
crypto map clientmap client
configuration
address initiate
crypto map clientmap client configuration
address respond
crypto map clientmap 2 ipsec-isakmp
set peer x.x.x.x
set
transform-set XXX
match address XXX
crypto map clientmap 10 ipsec-isakmp
dynamic dynmap
!
interface Loopback0
ip address x.x.x.x x.x.x.x
!
interface
Loopback1
ip
address x.x.x.x x.x.x.x
ip nat inside
ip virtual-reassembly
!
interface
FastEthernet0/0
no ip address
no cdp enable!
!
interface
FastEthernet0/1
no ip
address
no cdp enable
!
interface vlan1
ip address
x.x.x.x x.x.x.x
ip nat
outside
ip virtual-reassembly
ip policy route-map
XXX
no cdp enable
crypto map
clientmap
hold-queue 32 in
!
ip local pool
XXX x.x.x.x x.x.x.x
ip route
x.x.x.x x.x.x.x x.x.x.x
!
ip nat inside source
list XXX interface Vlan1
overload
!
ip access-list extended XXX
ip access-list
extended XXX
ip
access-list extended XXX
ip access-list extended XXX
ip
access-list extended
XXX
ip access-list extended XXX
ip access-list extended
XXX
ip access-list
extended XXX
ip access-list extended XXX
permit ip x.x.x.x
x.x.x.x any
permit
ip x.x.x.x x.x.x.x any
permit ip x.x.x.x x.x.x.x any
ip access-list extended
XXX
permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
permit
ip x.x.x.x x.x.x.x
x.x.x.x x.x.x.x
permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
permit ip x.x.x.x
x.x.x.x x.x.x.x x.x.x.x
permit ip x.x.x.x x.x.x.x x.x.x.x
x.x.x.x
permit ip
x.x.x.x x.x.x.x x.x.x.x x.x.x.x
ip access-list extended XXX
permit ip x.x.x.x
x.x.x.x x.x.x.x x.x.x.x
permit ip x.x.x.x x.x.x.x x.x.x.x
x.x.x.x
permit ip
x.x.x.x x.x.x.x x.x.x.x x.x.x.x
ip access-list extended
XXX
permit ip host
x.x.x.x host x.x.x.x
permit ip host x.x.x.x host x.x.x.x
permit ip host
x.x.x.x host x.x.x.x
permit ip host x.x.x.x host x.x.x.x
permit ip host
x.x.x.x host x.x.x.x
ip access-list standard XXX
permit
x.x.x.x x.x.x.x
permit x.x.x.x x.x.x.x
permit x.x.x.x x.x.x.x
ip access-list
extended XXX
ip
radius source-interface Loopback0
!
route-map XXX permit 10
match ip address
XXX
set interface XXX
!
radius-server attribute 6
on-for-login-auth
radius-server dead-criteria tries 2
radius-server host
x.x.x.x auth-port 1645
acct-port 1646
radius-server host x.x.x.x auth-port
1645 acct-port 1646
radius-server retransmit 5
radius-server timeout 15
radius-server deadtime 5
radius-server key CCIE
radius-server vsa send
accounting
radius-server vsa
send authentication
!

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART