To apply your per-user authorization attributes to an interface during a PPP session, use the access-profile privileged EXEC command. Use the default form of the command (no keywords) to cause existing access control lists (ACLs) to be removed, and ACLs defined in your per-user configuration to be installed.
access-profile [merge | replace ] [ignore-sanity-checks ]
merge (Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface.
However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all AV pairs defined in the AAA per-user configuration (the user's authorization profile).
The interface's resulting authorization attributes are a combination of the previous and new configurations.
replace (Optional) This option removes existing ACLs and all other existing authorization attributes for the interface.
A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration.
This option is not normally recommended because it initially deletes allexisting configuration, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information.
ignore-sanity-checks (Optional) Enables you to use any AV pairs, whether or not they are valid.
User EXEC
| Release | Modification | 11.2 F | This command was introduced. |
|---|
Remote users can use this command to activate Double Authentication for a PPP session. Double Authentication must be correctly configured for this command to have the desired effect.
You should use this command when remote users establish a PPP link to gain local network access.
After you have been authenticated with CHAP (or PAP), you will have limited authorization. To activate Double Authentication and gain your appropriate user network authorization, you must Telnet to the network access server and execute the access-profile command. (This command could also be set up as an autocommand, which would eliminate the need to manually enter the command.)
This command causes all subsequent network authorizations to be made in your username, instead of in the remote host's username.
Any changes to the interface caused by this command will stay in effect for as long as the interface stays up. These changes will be removed when the interface goes down. This command does not affect the normal operation of the router or the interface.
The default form of the command, access-profile , causes existing ACLs to be unconfigured (removed), and new ACLs to be installed. The new ACLs come from your per-user configuration on an AAA server (such as a TACACS+ server). The ACL replacement constitutes a reauthorization of your network privileges.
The default form of the command can fail if your per-user configuration contains statements other than ACL AV pairs. Any protocols with non-ACL statements will be deconfigured, and no traffic for that protocol can pass over the PPP link.
The access-profile merge form of the command causes existing ACLs to be unconfigured (removed) and new authorization information (including new ACLs) to be added to the interface. This new authorization information consists of your complete per-user configuration on an AAA server. If any of the new authorization statements conflict with existing statements, the new statements could "override" the old statements or be ignored, depending on the statement and applicable parser rules. The resulting interface configuration is a combination of the original configuration and the newly installed per-user configuration.
 | Caution The new user authorization profile (per-user configuration) must not contain any invalid mandatory AV pairs, otherwise the command will fail and the PPP protocol (containing the invalid pair) will be dropped. If invalid AV pairs are included as optional in the user profile, the command will succeed, but the invalid AV pair will be ignored. Invalid AV pair types are listed later in this section. |
The access-profile replace form of the command causes the entire existing authorization configuration to be removed from the interface, and the complete per-user authorization configuration to be added. This per-user authorization consists of your complete per-user configuration on an AAA server.
|
| Caution Use extreme caution when using the access-profile replace form of the command. It might have detrimental and unexpected results, because this option deletes allauthorization configuration information (including static routes) before reinstalling the new authorization configuration. |
These AV pair types are only "invalid" when used with Double Authentication, in the user-specific authorization profilethey cause the access-profile command to fail. However, these AV pair types can be appropriate when used in other contexts.
This example activates Double Authentication for a remote user. This example assumes that the access-profile command was not configured as an autocommand.
The remote user connects to the corporate headquarters network per Figure 1.
The remote user runs a terminal emulation application to Telnet to the corporate network access server, an AS5200 local host named "hqnas." The remote user, named Bob, has the username "BobUser."
This example replaces ACLs on the local host PPP interface. The ACLs previously applied to the interface during PPP authorization are replaced with ACLs defined in the per-user configuration AV pairs.
The remote user Telnets to the local host and logs in:
login: BobUser Password: <welcome> hqnas> access-profile
Bob is reauthenticated when he logs in to hqnas, because hqnas is configured for login AAA authentication using the corporate RADIUS server. When Bob enters the access-profile command, he is reauthorized with his per-user configuration privileges. This causes the access lists and filters in his per-user configuration to be applied to the network access server interface.
After the reauthorization is complete, Bob is automatically logged out of the AS5200 local host.
| Command | Description |
|---|---|
| connect | Logs in to a host that supports Telnet, rlogin, or LAT. |
| telnet | Logs in to a host that supports Telnet. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.