Download and install radiusd for your particular server platform. Edit /etc/raddb/users and create one section for each client. We will show two examples, one that uses the callerID (number called from) as authentication, and one that uses a password. RADIUS does not send cleartext passwords, but keep in mind that PAP/CHAP authentication does. We use callerID whenever possible.
username1 Calling-Station-Id = "12345678",
Framed-Route = "192.168.1.0/24 0.0.0.0 1",
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = "255.255.255.254",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
username2 Auth-Type = Local, Password = "mysecret"
Framed-Route = "192.168.2.0/24 0.0.0.0 1",
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = "255.255.255.254",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
In this setup, each user have a class C network assigned to them, this network will be routed to their connection whenever they're online. In addition, a gateway address is assigned to their router interface from a pool defined further down: 192.168.252.1 255.255.255.128
Before proceeding, make sure you won't shoot yourself in the foot. In case you get the RADIUS settings wrong (or the RADIUS server becomes unavailable) it's important you can still get into the router.
line vty 0 4
exec-timeout 30 0
password 534cvaze
login authentication no_radius
!
Now we're ready to configure AAA, Cisco's multi-purpose authentication thingy. 192.168.1.2 is the IP address of our RADIUS server. You may add multiple servers, they will be checked in the order they appear.
aaa new-model
aaa group server radius hovik
server 192.168.1.2 auth-port 1645 acct-port 1646
!
aaa authentication login no_radius enable
aaa authentication login radius-login group radius local
aaa authentication login physical group radius enable
aaa authentication ppp default group radius
aaa authentication ppp radius-ppp if-needed group radius
aaa authorization network test group radius local
aaa accounting network default start-stop group radius
Link IP addresses will be supplied by RADIUS, so the following statement should not contain any IP addresses:
ip address-pool local
To get the routing right, we have to add a loopback device. Be careful if you already have loopback devices defined, change the number if necessary. The IP network must not be used anywhere else, the router will use it internally.
interface Loopback0
ip address 192.168.253.1 255.255.255.0
no ip directed-broadcast
!
Next, set up a common Dialer interface. This is a way of setting common parameters for each dial-in interface, we will later reference all dian-in interfaces to this group.
interface Dialer1
ip unnumbered Loopback0
ip directed-broadcast
ip nat inside
encapsulation ppp
dialer in-band
dialer idle-timeout 600
dialer fast-idle 600
dialer-group 1
peer default ip address pool default
no fair-queue
no cdp enable
ppp authentication chap
ppp authorization test
ppp multilink
ppp timeout authentication 30
!
Now make all the dial-in interfaces part of that dialer group:
interface BRI1/0
no ip address
no ip directed-broadcast
ip nat inside
encapsulation ppp
dialer rotary-group 1
isdn switch-type basic-net3
isdn incoming-voice modem
no fair-queue
no cdp enable
!
Set up the IP address pool used for assigning link addresses:
ip local pool default 192.168.252.1 192.168.252.128
We will only allow TCP/IP, you may wish to add other protocols if you want to support IPX, VPN or tunneling protocols.
dialer-list 1 protocol ip permit
Finally, set up details for the RADIUS server. If you specified more than one, add one block for each of them.
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646
radius-server retransmit 2
radius-server timeout 10
radius-server key dill
You should now be ready to test your setup.
