我为其提供服务的一家小型 ISP 最近正在整合他们的设备。他们的一个小分支机构只有少数(5 个左右)用户通过路由器、Cisco 3725、使用 PPP 和用于 AAA 的 RADIUS 服务器和 VirtualAccess 模板接收互联网。
我不想保留专门用于提供 RADIUS 的服务器,而是希望将其停用,并将用户名、密码和任何其他规则放入路由器的配置中。我已经在测试环境中完成了这项工作,并注意到它可以工作,但有一个主要区别:
- 在最初的 RADIUS 设置中,为每个用户创建了一个全新的 VirtualAccess(Vi1、Vi2、Vi3 等)接口。
- 在本地设置中,为每个用户创建了 VirtualAccess1 的子接口(Vi1.1、Vi1.2、Vi1.3)。
他们有没有办法为每个用户创建一个单独的 VirtualAccess 接口,但将身份验证保留在本地?
大部分配置已从我们的生产环境中复制而来,并且在此处进行了大量编辑:
version 12.3
service timestamps debug datetime year
service timestamps log datetime year
service password-encryption
!
hostname [removed]
!
boot-start-marker
boot-end-marker
!
logging buffered 131072 debugging
logging console alerts
enable password [removed]
!
aaa new-model
aaa session-mib disconnect
!
!
!
aaa authentication ppp default none
aaa authentication ppp [isp]-auth local
aaa authorization network [isp]-auth local
aaa accounting delay-start
aaa accounting update periodic 1
!
aaa attribute list [username 1 removed]
attribute type addr [ip 1 removed]
!
aaa attribute list [username 2 removed]
attribute type addr [ip 2 removed]
!
aaa attribute list [username 3 removed]
attribute type addr [ip 3 removed]
!
aaa session-id common
!
resource policy
!
no ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.255.254.1 10.255.254.50
ip dhcp excluded-address 10.255.252.1 10.255.252.50
!
ip dhcp pool [isp]-wasteland1
network 10.255.254.0 255.255.254.0
domain-name [isp].com
dns-server 4.2.2.2 8.2.2.2
default-router 10.255.254.1
!
ip dhcp pool [isp]-wasteland2
network 10.255.252.0 255.255.254.0
domain-name [isp].com
dns-server 4.2.2.2 8.2.2.2
default-router 10.255.252.1
!
!
ip domain name [removed]
ip name-server 4.2.2.2
virtual-profile if-needed
virtual-profile virtual-template 11
!
no ftp-server write-enable
async-bootp dns-server 4.2.2.2 8.2.2.2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username [username] password [password]
username [username] password [password]
username [username] password [password]
... (5 more)
!
!
class-map match-all default-class
match any
!
!
[removed policy maps]
!
!
crypto isakmp ccm
!
!
!
bba-group pppoe global
virtual-template 11
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
description [removed]
ip address [ip address] [subnet] secondary
ip address [ip address] [subnet]
duplex auto
speed auto
service-policy input [removed]
service-policy output [removed]
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description [removed]
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.217
description [removed]
encapsulation dot1Q 217
ip address [ip address] [subnet]
pppoe enable group global
!
interface FastEthernet0/1.218
description [removed]
encapsulation dot1Q 218
ip address [ip address] [subnet] secondary
ip address [ip address] [subnet]
pppoe enable group global
!
interface FastEthernet0/1.219
description [removed]
encapsulation dot1Q 219
ip address [ip address] [subnet]
service-policy input [removed]
service-policy output [removed]
!
interface FastEthernet0/1.220
description ** UNUSED **
encapsulation dot1Q 220
shutdown
!
interface FastEthernet0/1.221
description ** UNUSED **
encapsulation dot1Q 221
shutdown
!
!
interface Virtual-Template11
description PPPoE user
ip unnumbered FastEthernet0/0
peer default ip address pool [pool-name]
ppp authentication pap [isp]-auth
ppp authorization [isp]-auth
ppp accounting [isp]-auth
service-policy [removed]
service-policy [removed]
!
ip local pool [pool-name] [xxx.xxx.xxx].130 [xxx.xxx.xxx].189
ip local pool [pool-name] [xxx.xxx.xxx].64 [xxx.xxx.xxx].126
no ip classless
ip route 0.0.0.0 0.0.0.0 [gateway]
!
!
ip http server
no ip http secure-server
!
logging trap debugging
logging facility local4
logging [logging ip]
access-list 101 permit ip any any
snmp-server community [isp]-public RO
snmp-server community [isp]-read-write RW
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 2
[password removed]
transport input telnet ssh
!
ntp clock-period 17180651
ntp server 204.2.134.164
ntp server 204.2.134.163
ntp server 77.66.37.130
!
end