Internet access via PPTP VPN authentication

Scenario Analysis

Many people want to build one of their ownWIFI_WEBCertified Network,The main technology used is Portal (Portal),It can authenticate legitimate users through WEB page。Through this technology to do a certified third-party solutions haveWIFIAPWIWIZ,Both companies are more representative。According to my investigation,Wah also Portal Solutions,Cisco alone I have not found related solutions (RS it in this field,I did not learn Cisco wireless)。So I want to use other techniques to achieve my purpose。Android phones have been quite popular now,Android phones and computers have the VPN dial-in capabilities,So I think through the VPN dial-in as my solution。

expected outcome

Dial VPN users can access the Internet or my specified network,No dial-in VPN users can only access specific network。

Picture 1



Create a virtual template it can also be understood as a VPN gateway

R1(config)#interface Virtual-Template 1

This virtual interface to configure an IP address

R1(config-if)#ip address

Set the authentication mode of this virtual link

R1(config-if)#ppp authentication chap ms-chap ms-chap-v2

Set dial-in user to obtain the IP address of the address pool named vpn

R1(config-if)#peer default ip address dhcp-pool vpn

Troubleshooting Virtual Interface IP address in the address pool

R1(config)#ip dhcp excluded-address

Creating a pool of automatically assigned address called vpn

R1(config)#ip dhcp pool vpn

Is provided to the user is preferably assigned address segment and a Virtual-Template IP address in the same network segment


Set assigned to the user's DNS domain name server

R1(dhcp-config)#dns server

Open virtual link dial-in capabilities

R1(config)#vpdn enable

Create a group called dial-vpn

R1(config)#vpdn-group vpn

Setting allows the user to dial


PPTP protocol setting dial

R1(config-vpdn-acc-in)#protocol pptp

Call the above virtual template

R1(config-vpdn-acc-in)#virtual-template 1


Create a list of conversion list named vpnnat

R1(config)#ip access-list extended vpnnat

Grab users dial to obtain IP addresses

R1(config-ext-nacl)#permit ip any

Create an Address Resolution Protocol so that users can access the Internet outside ports

R1(config)#ip nat inside source list vpnnat interface FastEthernet1/0 overload

The external network port is provided to an external port

R1(config)#interface FastEthernet1/0

R1(config)#ip nat outside

The external network port is provided to the internal port

R1(config)#interface Virtual-Template1

R1(config-if)#ip nat inside


Create a list of blocked user access to the Internet is not a VPN Dial

R1(config)#ip access-list extended novpn

Crawl inside the port block access to the Internet network segment

R1(config-ext-nacl)#deny ip any

Let other traffic

R1(config-ext-nacl)#permit ip any any

The direction of the outer limit the list to call the network port

R1(config)#interface FastEthernet1/0

R1(config-if)#ip access-group novpn out


I would like to call the user database server as a PPTP VPN's Radius,But ordinary router does not have this feature,Need to use Cisco's firewall products can achieve call Radius server database。

Original article written by Gerber drop-off:R0uter's Blog » Internet access via PPTP VPN authentication

Reproduced Please keep the source and description link:

About the Author


Leave a Reply

Your email address will not be published. Required fields are marked *