Guest

Cisco IOS Software Releases 12.0 T

User Maximum Links

Hierarchical Navigation

Downloads

Table Of Contents

User Maximum Links

Feature Overview

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring Maximum Number of User Links

Step
Command
Purpose

1 

Router(config)# aaa new-model

Enables the AAA access control system. This command immediately locks down login and PPP authentication.

2 

Router(config)# aaa authorization network default local

Specifies that network-related service requests will be authorized by using the local database.

To limit the number of user links, local authorization must be used.

3 

Router(config)# username username maxlinks link-number 
password password

Adds a username that cannot establish more connections than the number specified by the link-number argument.


Verifying Maximum Number of User Links

Configuration Examples

Command Reference

username

Syntax Description

Default

Command Mode

Command History

Usage Guidelines

Example

Related Commands


User Maximum Links

This document includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuration Examples

Command Reference

Feature Overview

The User Maximum Links feature provides a method to limit the number of inbound connections a user can establish with a device. This maximum connection limit is only imposed on links that have name authentication configured.

Previously, there was no method to limit the number of connections a user could establish.

In multilink environments, each PPP multilink connection is counted as one connection.

Benefits

The User Maximum Links feature enables ISPs to limit the number of inbound connections a user can establish so that they can provide various levels of subscriptions at different costs.

Users who desire more bandwidth can be charged a higher rate to establish multiple connections, while users who require only a single connection can be charged a discounted rate.

Restrictions

Local AAA must be enabled.

Name authentication must be used.

PPP encapsulation must be used because it is the only encapsulation type that supports usernames.

Related Documents

For more information on AAA and PPP encapsulation, see:

The "Authentication, Authorization, and Accounting (AAA)" chapter of the Security Configuration Guide.

For more information on PPP encapsulation, see:

The "Configuring Media-Independent PPP and Multilink PPP" chapter of the Dial Solutions Configuration Guide.

Supported Platforms

All Cisco IOS platforms running Cisco IOS Release 12.0(5)T or later.

Supported Standards, MIBs, and RFCs

MIBs

None

For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

None

Standards

None

Prerequisites

Before using the User Maximum Links feature, you need to complete the following tasks:

Enable AAA

Enable name authentication

Enable PPP encapsulation

Configuration Tasks

See the following sections for configuration tasks for the User Maximum Links feature. Each task in the list indicates if the task is optional or required.

Configuring Maximum Number of User Links (Required)

Configuring Maximum Number of User Links

Step
Command
Purpose

1 

Router(config)# aaa new-model

Enables the AAA access control system. This command immediately locks down login and PPP authentication.

2 

Router(config)# aaa authorization network default local

Specifies that network-related service requests will be authorized by using the local database.

To limit the number of user links, local authorization must be used.

3 

Router(config)# username username maxlinks link-number 
password password

Adds a username that cannot establish more connections than the number specified by the link-number argument.


Verifying Maximum Number of User Links

Step 1 Enter a test username command that can only establish one connection: 

Router(config)# username althea user-maxlinks 1 password settleback

Step 2 Configure AAA, name authentication, and PPP encapsulation on the interfaces that will be used as described in the following configuration example.

Step 3 Use the show running-config command to verify the configuration.

Step 4 Connect to the router using the connection-limited username.

Step 5 Attempt to open a second connection.

Step 6 Observe the failed PPP authentication.

Configuration Examples

In the following example, a user with the username sTephen can establish a maximum of five connections. sTephen can connect through serial interface 1/0, which has a dialer map configured for him or through PRI interface 0/0:23, which has dialer profile interface 0 dedicated to him.

The aaa authorization network default local command must be configured. PPP encapsulation and authentication must be enabled on all the interfaces sTephen can connect to. 

aaa new-model

aaa authorization network default local

enable secret saintstephen

enable password witharose

!

username sTephen user-maxlinks 5 password gardenhegoes

!

interface Serial0/0:23

 no ip address

 encapsulation ppp

 dialer pool-member 1

 ppp authentication chap

 ppp multilink

!

interface Serial1/0

 ip address 2.2.2.4 255.255.255.0

 encapsulation ppp 

 dialer in-band

 dialer map ip 2.2.2.13 name sTephen 12345

 dialer-group 1

 ppp authentication chap

!

interface Dialer0

 ip address 1.1.1.4 255.255.255.0

 encapsulation ppp

 dialer remote-name sTephen

 dialer string 23456

 dialer pool 1

 dialer-group 1

 ppp authentication chap

 ppp multilink

!

dialer-list 1 protocol ip permit

Command Reference

This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publication.

username

username

To specify the password to be used in the PPP Challenge Handshake Authentication Protocol (CHAP) caller identification and Password Authentication Protocol (PAP), use the username global configuration command. To remove a username from the configuration, use the no form of this command.

username name [user-maxlinks link-number] password secret

no username

Syntax Description

name

Host name, server name, user ID, or command name.

user-maxlinks

Limits the number of links the user can establish.

link-number

The maximum number of links allowed.

password

An encrypted password for this username.

secret

For CHAP authentication: specifies the secret password for the local router or access server or the remote device. The secret password is encrypted when it is stored on the local router or access server. This prevents the secret password from being stolen. The secret password can consist of any string of up to 11 printable ASCII characters, but cannot include spaces or underscores. There is no limit to the number of username-password combinations that can be specified, allowing any number of remote devices to be authenticated.


Default

No password is predefined.

Command Mode

Global configuration

Command History

Release
Modification

11.1

This command was introduced.

12.0(5)T

The user-maxlinks keyword and link-number argument were added.


Usage Guidelines

Supply a name entry for the name argument for each remote system from which the local router or access server requires authentication.

The username command is required as part of the configuration for authentication protocols, such as CHAP and PAP. For each remote system that the local router or access server communicates with from which it requires authentication, you add a corresponding username command.

Note   To enable the local router or access server to respond to remote CHAP challenges, one username command must have the same name as the hostname (assigned using the hostname command) that has already been assigned to your device.

To use the user-maxlinks keyword, you must also use the aaa authorization network default local command, and PPP encapsulation and name authentication on all the interfaces the user will be accessing.

If no secret password is specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the authentication protocol challenge is not implemented. Debugging information about authentication protocols is available using the debug serial-interface and debug serial-packet commands. See the Debug Command Reference publication for more information.

Example

The following example configuration enables CHAP on serial interface 0. It also defines a password for local server Adam and remote server Eve. Eve can establish a maximum of five inbound connections to Adam. 

hostname Adam

interface serial 0

 encapsulation ppp

 ppp authentication chap

username Eve user-maxlinks 5 password theirsystem

When you look at your configuration file, the passwords will be encrypted, and the display will look similar to the following: 

hostname Adam

interface serial 0

 encapsulation ppp

 ppp authentication chap

username Eve user-maxlinks 5 password 7 121F0A18

Related Commands

Command
Description

hostname

Specifies or modifies the host name for the network server.