TACACS+ Dial-Up Sample Config

 !
 aaa new-model
 aaa authentication login default tacacs+ enable
 aaa authentication ppp default if-needed tacacs+
 aaa authorization exec tacacs+ if-authenticated
 aaa authorization commands 1 tacacs+ if-authenticated none
 aaa authorization commands 15 tacacs+ if-authenticated none
 aaa authorization network tacacs+ local
 enable password ww
 !
 chat-script default "" at&fls0=1&h1&r2&c1&d2&b1e0q2 OK
 !
 interface Ethernet0
  ip address 10.6.1.200 255.255.255.0
 !
 ! chap/ppp authentication user:
  interface Async1
  ip unnumbered Ethernet0
  encapsulation ppp
  async mode dedicated
  peer default ip address pool async
  no cdp enable
  ppp authentication chap
 !
 ! pap/ppp authentication user:
  interface Async2
  ip unnumbered Ethernet0
  encapsulation ppp
  async mode dedicated
  peer default ip address pool async
  no cdp enable
  ppp authentication pap
 !
 ! authentication user with autocommand ppp:
  interface Async3
  ip unnumbered Ethernet0
  encapsulation ppp
  async mode interactive
  peer default ip address pool async
  no cdp enable
 !
 ip local pool async 10.6.100.101 10.6.100.103
 tacacs-server host 171.68.118.101
 tacacs-server timeout 10
 tacacs-server key cisco
 !
 line 1
  session-timeout 20
  exec-timeout 120 0
  autoselect during-login
  script startup default
  script reset default
  modem Dialin
  transport input all
  stopbits 1
  rxspeed 115200
  txspeed 115200
  flowcontrol hardware
 !
 line 2
  session-timeout 20
  exec-timeout 120 0
  autoselect during-login
  script startup default
  script reset default
  modem Dialin
  transport input all
  stopbits 1
  rxspeed 115200
  txspeed 115200
  flowcontrol hardware
 !
 line 3
  session-timeout 20
  exec-timeout 120 0
  autoselect during-login
  autoselect ppp
  script startup default
  script reset default
  modem Dialin
  autocommand ppp
  transport input all
  stopbits 1
  rxspeed 115200
  txspeed 115200
  flowcontrol hardware
 !
 end

TAC+ Configuration File (on server)

 # Handshake with router--NAS needs 'tacacs-server key cisco':
 key = "cisco"
 
 ! User who can telnet in to configure:
 user = admin {
         default service = permit
         login = cleartext "admin"
         }
 
 # ppp/chap authentication line 1 - password must be cleartext per chap spec
  user = chapuser {
         chap = cleartext "chapuser"
         service = ppp protocol = ip {
                 default attribute = permit
                 }
         }
 
 # ppp/pap authentication line 2
  user = papuser {
         login = file /etc/passwd
         service = ppp protocol = ip {
                 default attribute = permit
                 }
         }
 
 # authentication user line 3
  user = authauto {
         login = file /etc/passwd
         service = ppp protocol = ip {
                 default attribute = permit
                 }
         }

Windows 95 Setup for Users 1 and 2

1. Go to Start, then Programs, Accessories, and Dial-Up Networking to open the Dial-Up Networking window.

 

 

2. Choose Make New Connection from the Connections menu, and fill in a name for your connection.

 

 

3. Enter your modem-specific information and click Configure. On the General Properties page select the highest speed of your modem, but do not check the "Only connect at this speed..." box.

 

 

4. On the Configure/Connection properties page, use 8 data bits, no parity, and 1 stop bit. Call preferences to use are "Wait for dial tone before dialing," "Cancel the call if not connected after 200 seconds."

 

 

5. Click Advanced.... on the Connection page. In the Advanced Connection Settings, select only "Hardware" Flow Control and Modulation Type "Standard."


 On the Configure/Options properties page, nothing should be checked except the box under Status Control.

 Click OK, then click Next, enter the Telephone Number of the destination, click Next again, then Finish.

 Once the new connection icon appears, right-click on it and click Properties, then Server Type.
 
 

6. Select "PPP:WINDOWS 95, WINDOWS NT 3.5, Internet" and don't check any Advanced options. Under the Allowed Network Protocols, check at least TCP/IP.

 

 

7. Under TCP/IP Settings..., select "Server assigned IP address," "Server assigned name server addresses," and "Use default gateway on remote network." Click OK.

 

 

8. When the user double-clicks on the icon to bring up the Connect To window to dial, the user must fill in the User Name and Password fields, then click Connect.

Windows 95 Setup for User 3

• On the Configure/Options properties page (Step 5), check "Bring up terminal window after dialing."

 

 

• When the user double-clicks on the icon to open the Connect To window to dial (Step 8), the user does not fill in the User name and Password fields.

The user clicks the Connect button and, after the connection to the router is made, the user types in the username and password in the black window that appears. After authentication, the user presses Continue (F7).

Recommended Debugging

  tac_plus_executable -C config.file -d 16
  tail -f /var/tmp/tac_plus.log

  term mon
  debug ppp negotiation
  debug ppp packet
  debug ppp chap
  debug aaa authentication
  debug aaa authorization

Copyright 1997 Cisco Systems, Inc.