[cisco-nas] ISDN Authentication using Caller ID

[Gaurav Sabharwal]

on 05/02/2007 04:22 PM Oliver Boehmer (oboehmer) said the following:
> Gaurav Sabharwal <> wrote on Wednesday, May 02, 2007 8:33 AM:
> 
>> I am trying to setup something described at
>>
> http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_config
> uration_example09186a00800949ee.shtml
>> To extend beyond, I would like to authenticate the dialin clients
>> against the Calling-Station-ID RADIUS attribute and assign them IP
>> addresses from a dynamic pool. This is on a Cisco 2811 router.
>>
>> Can somebody please tell me if this is possible and provide me with a
>> sample configuration?
> 
> Do you *only* want to the ISDN caller-id (CLID) for authentication, i.e.
> no PPP chap/pap phase? If you want to add the CLID as additional
> authentication to PPP username/password, just add the Calling-Station-ID
> as an additional check-item to your Radius user record. Depending on the
> Radius server, you might even ignore the PPP credentials on the Radius,
> and return Access-Accept as soon as the CLID matches.
The goal is to use only the ISDN CLID for authentication. The remote 
router will not be configured with any username/password information.

> If your Radius server is not able to do this, you can use ISDN
> Pre-authentication
> (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newf
> t/121t/121t2/dtpreaut.htm). With this feature (not available on all
> platforms), the NAS will send an access-request to the Radius right
> after the ISDN call comes in (before it is established and PPP starts)
> using the CLID or the DNIS as the username, and the Radius server can
> return a profile telling the NAS to skip any subsequent authentication. 
The document mentions that this is only supported on the AS53xx. Is this 
support there on the 2811s as well? I tried the "aaa preauth" command on 
couple of routers with 12.4.x IOS but the command is not available.

Thanks,
- Gaurav