[cisco-nas] ISDN Authentication using Caller ID

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed May 2 14:11:29 EDT 2007


Gaurav Sabharwal <mailto:gaurav at inwire.net> wrote on Wednesday, May 02,
2007 5:42 PM:

> on 05/02/2007 04:22 PM Oliver Boehmer (oboehmer) said the following:
>> Gaurav Sabharwal <> wrote on Wednesday, May 02, 2007 8:33 AM:
>> 
>>> I am trying to setup something described at
>>> 
>>
http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_config
>> uration_example09186a00800949ee.shtml
>>> To extend beyond, I would like to authenticate the dialin clients
>>> against the Calling-Station-ID RADIUS attribute and assign them IP
>>> addresses from a dynamic pool. This is on a Cisco 2811 router.
>>> 
>>> Can somebody please tell me if this is possible and provide me with
>>> a sample configuration?
>> 
>> Do you *only* want to the ISDN caller-id (CLID) for authentication,
>> i.e. no PPP chap/pap phase? If you want to add the CLID as additional
>> authentication to PPP username/password, just add the
>> Calling-Station-ID as an additional check-item to your Radius user
>> record. Depending on the Radius server, you might even ignore the
>> PPP credentials on the Radius, and return Access-Accept as soon as
>> the CLID matches. 
>
> The goal is to use only the ISDN CLID for authentication. The remote
> router will not be configured with any username/password information.

Ok. May I ask the reason behind this?

>> If your Radius server is not able to do this, you can use ISDN
>> Pre-authentication
>>
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newf
>> t/121t/121t2/dtpreaut.htm). With this feature (not available on all
>> platforms), the NAS will send an access-request to the Radius right
>> after the ISDN call comes in (before it is established and PPP
>> starts) using the CLID or the DNIS as the username, and the Radius
>> server can return a profile telling the NAS to skip any subsequent
>> authentication.  
>
> The document mentions that this is only supported on the AS53xx. Is
> this support there on the 2811s as well? I tried the "aaa preauth"
command
> on couple of routers with 12.4.x IOS but the command is not available.

Sorry, this feature is only available on the access servers in the
AS5xxx family.

	oli



More information about the cisco-nas mailing list