[cisco-nas] ISDN Authentication using Caller ID

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed May 2 18:37:21 EDT 2007


Gaurav Sabharwal <mailto:gaurav at inwire.net> wrote on Wednesday, May 02,
2007 8:32 PM:

> on 05/02/2007 08:11 PM Oliver Boehmer (oboehmer) said the following:
> {snip}
>>> The goal is to use only the ISDN CLID for authentication. The remote
>>> router will not be configured with any username/password
>>> information. 
>> 
>> Ok. May I ask the reason behind this?
> We are implementing this service for a customer that manage the CPE
> using a custom built interface (GUI that dials into the router and
> configures the router). From what we know, the costs and times
> associated with the change in the code are prohibitive.

And the code/GUI really deploys a dialer without any ppp authentication?
This is quite unusual IMHO..

>>> The document mentions that this is only supported on the AS53xx. Is
>>> this support there on the 2811s as well? I tried the "aaa preauth"
>>> command on couple of routers with 12.4.x IOS but the command is not
>>> available. 
>> 
>> Sorry, this feature is only available on the access servers in the
>> AS5xxx family.
> Can you think of any other way of implementing this? I was thinking
> about the crazy idea of using 1200 "dialer caller" statements +
> dynamic IP address assignment via a local pool. The dial part of the
solution
> is for backup services. The primary would be DSL.

Hmm, it really depends on how the remote site is set up. If they really
can't do any ppp authentication, dialer caller statements is likely the
only solution (if you can't do preauth), but provisioning will be a
nightmare, I feel. No chance to get a AS5xxx and do preauth? 

If they do ppp authentication, you could solve this on the Radius
backend, depends on the Radius server you use (i.e. ignore any
credentials and just use the CLID as check-item)..

	oli



More information about the cisco-nas mailing list