[cisco-nas] ISDN Authentication using Caller ID

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed May 2 10:22:46 EDT 2007


Gaurav Sabharwal <> wrote on Wednesday, May 02, 2007 8:33 AM:

> I am trying to setup something described at
>
http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_config
uration_example09186a00800949ee.shtml
> 
> To extend beyond, I would like to authenticate the dialin clients
> against the Calling-Station-ID RADIUS attribute and assign them IP
> addresses from a dynamic pool. This is on a Cisco 2811 router.
> 
> Can somebody please tell me if this is possible and provide me with a
> sample configuration?

Do you *only* want to the ISDN caller-id (CLID) for authentication, i.e.
no PPP chap/pap phase? If you want to add the CLID as additional
authentication to PPP username/password, just add the Calling-Station-ID
as an additional check-item to your Radius user record. Depending on the
Radius server, you might even ignore the PPP credentials on the Radius,
and return Access-Accept as soon as the CLID matches.

If your Radius server is not able to do this, you can use ISDN
Pre-authentication
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newf
t/121t/121t2/dtpreaut.htm). With this feature (not available on all
platforms), the NAS will send an access-request to the Radius right
after the ISDN call comes in (before it is established and PPP starts)
using the CLID or the DNIS as the username, and the Radius server can
return a profile telling the NAS to skip any subsequent authentication. 

	oli



More information about the cisco-nas mailing list