Ho to prevent vpdn users to access router ?

- J
- John Doe
  
  Contact options for registered users
posted
17 years ago

Mon, Oct 16, 2006 10:44 AM

Hi

I have a router configured as vpdn dial-in device. I authenticate via radius. How can I prevent my dial-in users to login to the router itself. Some of the dial-in users are also admins, and I do not want to remove the radius auth on login.

My config:

aaa authentication login default local group radius aaa authentication login console none aaa authentication ppp default local group radius aaa authorization network default local group radius aaa authorization auth-proxy default group radius

Typical radius users

myuser User-Password == "fatchance" Service-Type = Framed-User, Framed-Protocol = PPP, Filter-Id = "StdUser"

Brgds Johan

- P
- Peter
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, Oct 17, 2006 9:37 AM

Hi John,

How can I prevent my dial-in users to login to the router itself.

radius auth on login.

Its actually very simple, just put an ACL on the VTY port either blocking access from the untrusted segment or allowingn only trusted segments in.

Cheers..............pk.

- J
- John Doe
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, Oct 20, 2006 12:50 PM

Well thanks.. Yes, that is one way, but my network admins may move around, and I would like the freedom of allowing them access from whereever they may be. Is there no parameter in Radius where you can control who has access to login to IOS, and who can use the box as endpoint for a vpn ?

Brgds Johan