使用VPDN群組和TACACS+的撥入VPDN組態

下載選項

PDF (371.9 KB)
在多種裝置上使用 Adobe Reader 檢視
ePub (83.5 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
Mobi (Kindle) (69.9 KB)
在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視

已更新: 2010 年 2 月 4 日

文件 ID:10355

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的，無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言，或引用第三方產品的語言，因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件，讓全世界的使用者能夠以自己的語言理解支援內容。請注意，即使是最佳機器翻譯，也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責，並建議一律查看原始英文文件（提供連結）。

用於客戶端訪問的思科路由器(NAS/LAC)和用於網路訪問的思科路由器(HGW/LNS)，兩者之間具有IP連線。
路由器的主機名或要在VPDN組上使用的本地名稱。
要使用的隧道協定。這可以是第2層通道(L2T)通訊協定或第2層轉送(L2F)通訊協定。
路由器用於驗證隧道的口令。
通道準則。這可以是域名，也可以是撥號號碼辨識服務(DNIS)。
使用者的使用者名稱和密碼（客戶端撥入）。
TACACS+伺服器的IP地址和金鑰。

NAS/LAC
HGW/LNS
NAS/LAC TACACS+配置檔案
HGW/LNS TACACS+配置檔案

NAS/LAC
! version 12.0 service timestamps debug datetime msec service timestamps log datetime msec ! hostname as5300 ! aaa new-model aaa authentication login default local aaa authentication login CONSOLE none aaa authentication ppp default if-needed group tacacs+ aaa authorization network default group tacacs+ enable password somethingSecret ! username john password 0 secret4me ! ip subnet-zero ! vpdn enable ! isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary 1 linecode b8zs pri-group timeslots 1-24 ! controller T1 2 framing esf linecode b8zs pri-group timeslots 1-24 ! controller T1 3 framing esf linecode b8zs pri-group timeslots 1-24 ! interface Ethernet0 ip address 172.16.186.52 255.255.255.240 no ip directed-broadcast ! interface Serial023 no ip address no ip directed-broadcast encapsulation ppp ip tcp header-compression passive dialer rotary-group 1 isdn switch-type primary-5ess isdn incoming-voice modem no cdp enable ! interface Serial123 no ip address no ip directed-broadcast encapsulation ppp ip tcp header-compression passive dialer rotary-group 1 isdn switch-type primary-5ess isdn incoming-voice modem no cdp enable ! interface Serial223 no ip address no ip directed-broadcast encapsulation ppp ip tcp header-compression passive dialer rotary-group 1 isdn switch-type primary-5ess isdn incoming-voice modem no cdp enable ! interface Serial323 no ip address no ip directed-broadcast encapsulation ppp ip tcp header-compression passive dialer rotary-group 1 isdn switch-type primary-5ess isdn incoming-voice modem no cdp enable ! interface FastEthernet0 no ip address no ip directed-broadcast shutdown ! interface Group-Async1 ip unnumbered Ethernet0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive async mode interactive peer default ip address pool IPaddressPool no cdp enable ppp authentication chap group-range 1 96 ! interface Dialer1 ip unnumbered Ethernet0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive dialer-group 1 peer default ip address pool IPaddressPool no cdp enable ppp authentication chap ! ip local pool IPaddressPool 10.10.10.1 10.10.10.254 no ip http server ip classless ip route 0.0.0.0 0.0.0.0 172.16.186.49 ! tacacs-server host 172.16.171.9 tacacs-server key 2easy ! line con 0 login authentication CONSOLE transport input none line 1 96 autoselect during-login autoselect ppp modem Dialin line aux 0 line vty 0 4 ! end

NAS/LAC

!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname as5300
!
aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authentication ppp default if-needed group tacacs+
aaa authorization network default group tacacs+
enable password somethingSecret
!
username john password 0 secret4me
!
ip subnet-zero
!
vpdn enable
!
isdn switch-type primary-5ess
!
controller T1 0
 framing esf
 clock source line primary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 framing esf
 clock source line secondary 1
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 2
 framing esf
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 3
 framing esf
 linecode b8zs
 pri-group timeslots 1-24
!
interface Ethernet0
 ip address 172.16.186.52 255.255.255.240
 no ip directed-broadcast
!
interface Serial023
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer rotary-group 1
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface Serial123
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer rotary-group 1
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface Serial223
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer rotary-group 1
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface Serial323
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer rotary-group 1
 isdn switch-type primary-5ess
 isdn incoming-voice modem
 no cdp enable
!
interface FastEthernet0
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Group-Async1
 ip unnumbered Ethernet0
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 async mode interactive
 peer default ip address pool IPaddressPool
 no cdp enable
 ppp authentication chap
 group-range 1 96
!
interface Dialer1
 ip unnumbered Ethernet0
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer-group 1
 peer default ip address pool IPaddressPool
 no cdp enable
 ppp authentication chap
!
ip local pool IPaddressPool 10.10.10.1 10.10.10.254
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.186.49
!
tacacs-server host 172.16.171.9
tacacs-server key 2easy
!
line con 0
 login authentication CONSOLE
 transport input none
line 1 96
 autoselect during-login
 autoselect ppp
 modem Dialin
line aux 0
line vty 0 4
!
end

HGW/LNS
! version 12.0 service timestamps debug uptime service timestamps log uptime ! hostname access-9 ! aaa new-model aaa authentication login default local aaa authentication login CONSOLE none aaa authentication ppp default if-needed group tacacs+ aaa authorization network default group tacacs+ enable password somethingSecret ! ip subnet-zero ! vpdn enable ! vpdn-group DEFAULT ! Default L2TP VPDN group accept-dialin protocol any virtual-template 1 local name LNS lcp renegotiation always l2tp tunnel password 0 not2tell ! vpdn-group POP1 accept-dialin protocol l2tp virtual-template 2 terminate-from hostname LAC local name LNS l2tp tunnel password 0 2secret ! vpdn-group POP2 accept-dialin protocol l2f virtual-template 3 terminate-from hostname NAS local name HGW lcp renegotiation always ! interface FastEthernet0/0 ip address 172.16.186.1 255.255.255.240 no ip directed-broadcast ! interface Virtual-Template1 ip unnumbered FastEthernet0/0 no ip directed-broadcast ip tcp header-compression passive peer default ip address pool IPaddressPool ppp authentication chap ! interface Virtual-Template2 ip unnumbered Ethernet0/0 no ip directed-broadcast ip tcp header-compression passive peer default ip address pool IPaddressPoolPOP1 compress stac ppp authentication chap ! interface Virtual-Template3 ip unnumbered Ethernet0/0 no ip directed-broadcast ip tcp header-compression passive peer default ip address pool IPaddressPoolPOP2 ppp authentication pap ppp multilink ! ip local pool IPaddressPool 10.10.10.1 10.10.10.254 ip local pool IPaddressPoolPOP1 10.1.1.1 10.1.1.254 ip local pool IPaddressPoolPOP2 10.1.2.1 10.1.2.254 ip classless no ip http server ! tacacs-server host 172.16.186.9 tacacs-server key not2difficult ! line con 0 login authentication CONSOLE transport input none line 97 120 line aux 0 line vty 0 4 ! ! end

HGW/LNS

!
version 12.0
service timestamps debug uptime
service timestamps log uptime
!
hostname access-9
!
aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authentication ppp default if-needed group tacacs+
aaa authorization network default group tacacs+
enable password somethingSecret
!
ip subnet-zero
!
vpdn enable
!
vpdn-group DEFAULT
! Default L2TP VPDN group
 accept-dialin
  protocol any
  virtual-template 1
 local name LNS
 lcp renegotiation always
 l2tp tunnel password 0 not2tell
!
vpdn-group POP1
 accept-dialin
  protocol l2tp
  virtual-template 2
 terminate-from hostname LAC
 local name LNS
 l2tp tunnel password 0 2secret
!
vpdn-group POP2
 accept-dialin
  protocol l2f
  virtual-template 3
 terminate-from hostname NAS
 local name HGW
 lcp renegotiation always
!
interface FastEthernet0/0
 ip address 172.16.186.1 255.255.255.240
 no ip directed-broadcast
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 no ip directed-broadcast
 ip tcp header-compression passive
 peer default ip address pool IPaddressPool
 ppp authentication chap
!
interface Virtual-Template2
 ip unnumbered Ethernet0/0
 no ip directed-broadcast
 ip tcp header-compression passive
 peer default ip address pool IPaddressPoolPOP1
 compress stac
 ppp authentication chap
!
interface Virtual-Template3
 ip unnumbered Ethernet0/0
 no ip directed-broadcast
 ip tcp header-compression passive
 peer default ip address pool IPaddressPoolPOP2
 ppp authentication pap
 ppp multilink
!
ip local pool IPaddressPool 10.10.10.1 10.10.10.254
ip local pool IPaddressPoolPOP1 10.1.1.1 10.1.1.254
ip local pool IPaddressPoolPOP2 10.1.2.1 10.1.2.254
ip classless
no ip http server
!
tacacs-server host 172.16.186.9
tacacs-server key not2difficult
!
line con 0

login authentication CONSOLE
transport input none
line 97 120
line aux 0
line vty 0 4
!
!
end

NAS/LAC TACACS+配置檔案
key = 2easy # Use L2TP tunnel to 172.16.186.1 when 4085555100 is dialed user = dnis:4085555100 { service = ppp protocol = vpdn { tunnel-id = anonymous ip-addresses = 172.16.186.1 tunnel-type = l2tp } } # Password for tunnel authentication user = anonymous { chap = cleartext not2tell } ### # Use L2TP tunnel to 172.16.186.1 when 4085555200 is dialed user = dnis:4085555200 { service = ppp protocol = vpdn { tunnel-id = LAC ip-addresses = 172.16.186.1 tunnel-type = l2tp } } # Password for tunnel authentication user = LAC { chap = cleartext 2secret } ### # Use L2F tunnel to 172.16.186.1 when user authenticates with cisco.com domain user = cisco.com { service = ppp protocol = vpdn { tunnel-id = NAS ip-addresses = 172.16.186.1 tunnel-type = l2f } } # Password for tunnel authentication user = NAS { chap = cleartext cisco } # Password for tunnel authentication user = HGW { chap = cleartext cisco }

NAS/LAC TACACS+配置檔案

key = 2easy

# Use L2TP tunnel to 172.16.186.1 when 4085555100 is dialed
user = dnis:4085555100 {
         service = ppp protocol = vpdn {
           tunnel-id = anonymous
           ip-addresses = 172.16.186.1
           tunnel-type = l2tp
         }
       }

# Password for tunnel authentication
user = anonymous {
         chap = cleartext not2tell
       }

###

# Use L2TP tunnel to 172.16.186.1 when 4085555200 is dialed
user = dnis:4085555200 {
         service = ppp protocol = vpdn {
           tunnel-id = LAC
           ip-addresses = 172.16.186.1
           tunnel-type = l2tp
         }
       }

# Password for tunnel authentication
user = LAC {
         chap = cleartext 2secret
       }

###

# Use L2F tunnel to 172.16.186.1 when user authenticates with cisco.com domain
user = cisco.com {
         service = ppp protocol = vpdn {
           tunnel-id = NAS
           ip-addresses = 172.16.186.1
           tunnel-type = l2f
         }
       }

# Password for tunnel authentication
user = NAS {
         chap = cleartext cisco
       }

# Password for tunnel authentication
user = HGW {
         chap = cleartext cisco
       }

HGW/LNS TACACS+配置檔案
key = not2difficult # Password for tunnel authentication user = NAS { chap = cleartext cisco } # Password for tunnel authentication user = HGW { chap = cleartext cisco } user = santiago { chap = cleartext letmein service = ppp protocol = lcp { } service = ppp protocol = ip { } } user = santiago@cisco.com { global = cleartext letmein service = ppp protocol = lcp { } service = ppp protocol = multilink { } service = ppp protocol = ip { } }

HGW/LNS TACACS+配置檔案

key = not2difficult

# Password for tunnel authentication
user = NAS {
         chap = cleartext cisco
       }

# Password for tunnel authentication
user = HGW {
         chap = cleartext cisco
       }

user = santiago {
         chap = cleartext letmein

         service = ppp protocol = lcp { }
         service = ppp protocol = ip { }
       }

user = santiago@cisco.com {
         global = cleartext letmein

         service = ppp protocol = lcp { }
         service = ppp protocol = multilink { }
         service = ppp protocol = ip { }
       }

驗證

本節提供的資訊可用於確認組態是否正常運作。

輸出直譯器工具支援某些show命令(僅供註冊客戶使用)，透過該工具可檢視對show命令輸出的分析。

show vpdn tunnel all -顯示所有活動隧道的詳細資訊。
show user -顯示連線的使用者的名稱。
show interface virtual-access #- 可用於檢查HGW/LNS上特定虛擬介面的狀態。

疑難排解

本節提供的資訊可用於對組態進行疑難排解。

疑難排解指令

注意：在發出debug命令之前，請參閱有關Debug命令的重要資訊。

debug vpdn l2x-events— 顯示NAS/LAC和HGW/LNS之間的對話方塊，以便建立隧道或會話。
debug ppp authentication -使您可以檢查客戶端是否正在傳遞身份驗證。
debug ppp negotiation -使您可以檢查客戶端是否正在傳遞PPP協商。您可以看到正在協商的選項（如回叫、MLP等）和協定（如IP、IPX等）。
debug ppp error -顯示與PPP連線協商和操作相關的協定錯誤和錯誤統計資料。
debug vtemplate -顯示HGW/LNS上虛擬訪問介面的克隆。您可以看到在撥號連線開始時建立（從虛擬模板克隆）介面的時間，以及連線終止後銷毀介面的時間。
debug aaa authentication -使您可以檢查使用者或隧道是否由身份驗證、授權和記帳(AAA)伺服器進行身份驗證。
debug aaa authorization -使您可以檢查使用者是否受到AAA伺服器的授權。
debug aaa per-user -使您可以檢查應用於已驗證的每個使用者的內容。這與上面列出的一般調試不同。

使用VPDN群組和TACACS+的撥入VPDN組態

下載選項

無偏見用語

關於此翻譯

目錄

簡介

必要條件

需求

採用元件

慣例

背景資訊

設定

網路圖表

組態

驗證

疑難排解

疑難排解指令

相關資訊

修訂記錄

這份文件是否有所幫助？

讓思科協助您

本文件適用於這些產品