|
|
Configuring PPTPCisco routers support PPTP voluntary tunnel mode and function as the PAC, with the client functioning as the PNS. Configuration is not the main theme of this chapter, but because misconfiguration is always one of the most common causes of problems, basic configuration of PPTP on Cisco routers is briefly reviewed here. A number of configuration tasks have to be completed to enable PPTP. These steps are summarized as follows:
To enable local authentication, all that is required is the following: username username password password In this case, the username of the remote access client/PNS and its password are specified. Alternatively, remote AAA can be configured. Remote AAA is much more scalable than local authentication. Example 3-1 shows the configuration of remote AAA. Example 3-1. Configuring Remote AAAaaa new-model aaa authentication login default group radius local aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius radius-server host 10.20.10.5 auth-port 1645 acct-port 1646 key cisco The aaa new-model command is used to globally enable authentication, authorization, and accounting. The aaa authentication login default group radius local command is not directly related to PPTP configuration but is included to illustrate a complete remote AAA configuration. It configures a default method list for login authentication. This default method list specifies that Remote Access Dial In User Service (RADIUS) should be used for login authentication, and that in the event that the RADIUS server is unreachable, local authentication should be used. The third command, aaa authentication ppp default group radius creates a default method list specifying RADIUS for PPP authentication. The aaa authorization network default group radius command is used to configure authorization for network-related services (including PPP). In this case, a default method list is used to specify that the RADIUS server should again be queried for authorization. Accounting is then enabled with the command aaa accounting network default start-stop group radius. This command specifies that for network services, an accounting notice should be sent to the RADIUS server when the service starts and when the service stops. Again, this command is not essential for PPTP but is included to illustrate a complete AAA configuration. Finally, the RADIUS server IP address, authentication/authorization and accounting ports, and the key are specified using the radius-server host 10.20.10.5 auth-port 1645 acct-port 1646 key cisco command. Note that the authentication/authorization and accounting ports specified here (1645 and 1646, respectively) are the Cisco defaults. Some RADIUS servers may require you to use ports 1812 and 1813, however. The next stage of the configuration is to enable virtual private dialup networks (VPDNs, of which PPTP is one type) globally on the router. This is achieved as follows: vpdn enable Having enabled VPDNs, the VPDN group must be configured. Example 3-2 shows the configuration of the VPDN group. Example 3-2. Configuring the VPDN Groupvpdn-group 1 accept-dialin protocol pptp virtual-template 1 The first line in the configuration, vpdn-group 1, defines the name of the VPDN group. In this case it is 1. The second line of the configuration (accept-dialin) allows the router to accept inbound VPDN connections. The third line (protocol pptp) specifies that the VPDN protocol to be used is PPP. The last line in the configuration (virtual-template 1) specifies that any inbound PPP connections should be terminated on virtual access interfaces whose configuration is cloned (copied) from virtual template 1. Virtual access interfaces are dynamically created when remote access clients connect to the PAC. After the VPDN group has been defined, the next step is the configuration of the virtual template. Example 3-3 shows the configuration of the virtual template. Example 3-3. Configuring the Virtual Templateinterface Virtual-Template1 ip unnumbered Ethernet1/1 peer default ip address pool PPTPPool ppp encrypt mppe 40 required ppp authentication ms-chap In the first line of the virtual template configuration, ip unnumbered is applied to the interface. In this case, when the configuration is cloned to the virtual access interfaces, the IP address of interface Ethernet 1/1 will be appliedthis saves on IP addresses. In this particular example, the PAC has only two interfaces (see Example 3-5), but if your PAC has more interfaces, a better choice of interface to specify with the ip unnumbered command is a loopback interface (it is always up). The next command, peer default ip address pool PPTPPool, specifies a pool of IP addresses. Addresses from this pool are assigned to remote access clients connecting to the router (PAC). The pool name in this example is PPTPPool. Note that another method that you can use for IP address assignment is via Dynamic Host Configuration Protocol (DHCP). In this case, the peer default ip address dhcp command should be used. The DHCP server address can then be specified using the ip dhcp-server {server_name | server_ip_address} global configuration mode command. The ppp encrypt mppe 40 required command is next. This is an optional command, which specifies that Microsoft Point-to-Point Encryption (MPPE) should be used on the tunnel between the remote access client/PNS and the router (PAC). Note that MPPE uses the RC4 variable-key-size cipher, and two session key sizes are configurable: 40-bit and 128-bit. In this case, the key is specified as 40 bits, and the keyword required is applied. The required keyword means that should the router (PAC) not be able to negotiate MPPE encryption with the remote access client/PNS, the connection is dropped. MPPE can alternatively be configured with the passive keyword, as follows: ppp encrypt mppe 40 passive. If this configuration is used, the PAC attempts to negotiate MPPE with the remote access client/PNS, but does not drop the connection if that negotiation is unsuccessful. The virtual template interface is also configured for Microsoft CHAP authentication. Note that this is a Microsoft requirement when using MPPE. User-specific interface configuration can also be stored on a AAA server and downloaded by the PAC when users connect. This configuration is beyond the scope of this chapter, so for some examples of this (in the form cisco-avpair = "lcp:interface-config=") see the document entitled "Configuring Virtual Profiles" on www.cisco.com. The final part of the configuration involves the configuration of the IP address pool (PPTPPool), together with DNS and WINS (NetBIOS Name Server) server addresses to be provided to the remote access client/PNS. Example 3-4 shows the configuration of the address pool, together with DNS and WINS server addresses. Example 3-4. Configuring the IP Address Pool and DNS and WINS Server Addressesip local pool PPTPPool 192.168.2.1 192.168.2.10 async-bootp dns-server 192.168.1.10 async-bootp nbns-server 192.168.1.12 In this example, ten IP addresses are configured in the pool (192.168.2.1 to 192.168.2.10). Only ten concurrent PPTP remote access client/PNS connections can, therefore, be accommodated. The DNS and WINS server addresses are specified as 192.168.1.10 and 192.168.1.12, respectively. Example 3-5 shows a complete basic PAC configuration using local authentication. Example 3-5. Basic PAC Configuration with Local AuthenticationArizona_PAC#show running-config Building configuration... Current configuration : 2323 bytes ! version 12.2 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname Arizona_PAC ! ! ! Configure the remote access clients' usernames and passwords username saru password 7 070C285F4D06 username mo password 7 104D000A0618 username ki password 7 13061E010803 username kara password 7 05080F1C2243 username ochiru password 7 00071A150754 ip subnet-zero ip cef ! ! no ip domain-lookup ! ! Configure the DNS and WINS server addresses async-bootp dns-server 192.168.1.10 async-bootp nbns-server 192.168.1.12 ! ! Enable VPDNs (including PPTP) vpdn enable ! Configure the VPDN group for PPTP remote access clients vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! interface Ethernet1/0 ip address 10.10.10.100 255.255.255.0 duplex half ! interface Ethernet1/1 ip address 192.168.1.1 255.255.255.0 duplex half ! ! Configure the virtual template interface Virtual-Template1 ip unnumbered Ethernet1/1 peer default ip address pool PPTPPool ppp encrypt mppe 40 required ppp authentication ms-chap ! ! Configure the IP address pool ip local pool PPTPPool 192.168.2.1 192.168.2.10 ip classless ip route 0.0.0.0 0.0.0.0 10.10.10.101 ! ! line con 0 password 7 13061E010803 login line aux 0 line vty 0 4 password 7 1511021F0725 login ! end Before finishing this section, it is worth noting that PPTP traffic is either CEF or processed switched on Cisco routers.  |
|
|