[cisco-nas] ISDN Authentication using Caller ID
tnt at kalik.co.yu
tnt at kalik.co.yu
Wed May 2 16:21:30 EDT 2007
If you have only one mad customer you dont need a huntgroup. Make a
default entry:
DEFAULT Calling-Station-Id == hisnumber, Auth-Type:= Accept
Framed-IP-Address = a.b.c.d,
etc.
Ivan Kalik
Kalik Informatika ISP
Dana 2/5/2007, "Gaurav Sabharwal" <gaurav at inwire.net> piše:
>The customer does not wants any username/password on the dialer
>interface so we are stuck to using caller-id as the only authentication
>method. As I mentioned on the list, preauth seems to be available only
>on the AS53xx series.
>
>Can you point towards the huntgroups that you mention in the email?
>
>Thanks,
>- Gaurav
>on 05/02/2007 04:07 PM tnt at kalik.co.yu said the following:
>> aaa authentication ppp default
>>
>> You are not sending radius requests. ppp users will be authenticated
>> localy. You need to send auth to group radius. But get it to work first
>> with a local user. Then make entry for that user in radius. Then change
>> user to MAC authentication. Go step by step and you will get there much
>> quicker.
>>
>> If you want just MAC filtering (no user/pass, just a list od acceptable
>> callerIDs) then you need to use preauth on cisco. Or some extravagant
>> huntgroups in radius.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> Dana 2/5/2007, "Gaurav Sabharwal" <gaurav at inwire.net> piše:
>>
>>> Ivan,
>>>
>>> Thanks for the reply. I tried to configure the router for PAP
>>> authentication and the RADIUS server as you mentioned but I do not see
>>> any packets coming to the RADIUS server.
>>>
>>> The setup seems to be failing during the LCP phase. For PAP
>>> authentication, don't I need to setup the username/password on the
>>> client side? This is what I am trying to avoid.
>>>
>>> Below is the relevant configuration:
>>>
>>> NAS:
>>> aaa new-model
>>> !
>>> aaa authentication ppp default
>>> !
>>> interface BRI1/0
>>> no ip address
>>> encapsulation ppp
>>> dialer pool-member 1
>>> isdn switch-type basic-net3
>>> isdn point-to-point-setup
>>> !
>>> interface Dialer1
>>> ip unnumbered Loopback0
>>> encapsulation ppp
>>> dialer pool 1
>>> dialer-group 1
>>> no peer default ip address
>>> ppp authentication pap
>>> !
>>> radius-server attribute 8 include-in-access-req
>>> radius-server host 192.168.1.1 auth-port 1645 acct-port 1646
>>> radius-server key test01
>>> radius-server vsa send accounting
>>> radius-server vsa send authentication
>>>
>>> Client Side:
>>> !
>>> interface BRI0
>>> no ip address
>>> encapsulation ppp
>>> dialer pool-member 2
>>> dialer pool-member 3
>>> isdn switch-type basic-net3
>>> isdn point-to-point-setup
>>> no fair-queue
>>> no cdp enable
>>> !
>>> interface Dialer3
>>> ip address negotiated
>>> encapsulation ppp
>>> dialer pool 3
>>> dialer string 06155822147
>>> dialer-group 3
>>> no cdp enable
>>>
>>> Logs from the NAS:
>>> *Mar 1 18:31:11.699: %DIALER-6-BIND: Interface BR1/0:1 bound to profile Di1
>>> *Mar 1 18:31:11.707: %LINK-3-UPDOWN: Interface BRI1/0:1, changed state
>>> to up
>>> *Mar 1 18:31:11.707: %ISDN-6-CONNECT: Interface BRI1/0:1 is now
>>> connected to 6155667136 N/A
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Using dialer call direction
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Treating connection as a callin
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Session handle[C300008C] Session id[114]
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Phase is ESTABLISHING, Passive Open
>>> *Mar 1 18:31:11.715: BR1/0:1 LCP: State is Listen
>>> *Mar 1 18:31:11.931: BR1/0:1 LCP: I CONFREQ [Listen] id 42 len 10
>>> *Mar 1 18:31:11.935: BR1/0:1 LCP: MagicNumber 0x1829BF38
>>> (0x05061829BF38)
>>> *Mar 1 18:31:11.935: BR1/0:1 LCP: O CONFREQ [Listen] id 239 len 14
>>>
>>>
>>> Thanks,
>>> - Gaurav
>>>
>>> on 05/02/2007 01:44 PM tnt at kalik.co.yu said the following:
>>>> It's possible without doing anything on your router. Just replace
>>>> User-Name with Calling-Station-ID on your radius server. For Freeradius
>>>> make a users file entry:
>>>>
>>>> DEFAULT User-Name:=Calling-Station-ID
>>>>
>>>> and place it in front of your user entries. Warning: this won't work
>>>> with encrypted protocols, only PAP.
>>>>
>>>> Ivan Kalik
>>>> Kalik Informatika ISP
>>>>
>>>>
>>>> Dana 2/5/2007, "Gaurav Sabharwal" <gaurav at inwire.net> piše:
>>>>
>>>>> I am trying to setup something described at
>>>>> http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_configuration_example09186a00800949ee.shtml
>>>>>
>>>>> To extend beyond, I would like to authenticate the dialin clients
>>>>> against the Calling-Station-ID RADIUS attribute and assign them IP
>>>>> addresses from a dynamic pool. This is on a Cisco 2811 router.
>>>>>
>>>>> Can somebody please tell me if this is possible and provide me with a
>>>>> sample configuration?
>>>>>
>>>>> Thanks,
>>>>> - Gaurav
>>>>> _______________________________________________
>>>>> cisco-nas mailing list
>>>>> cisco-nas at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nas
>>>>>
>>>>>
>>>
>>>
>>
>
>
>
More information about the cisco-nas
mailing list