[cisco-nas] ISDN Authentication using Caller ID

Gaurav Sabharwal gaurav at inwire.net
Wed May 2 18:51:55 EDT 2007 

on 05/03/2007 12:37 AM Oliver Boehmer (oboehmer) said the following:
> Gaurav Sabharwal <mailto:gaurav at inwire.net> wrote on Wednesday, May 02,
> 2007 8:32 PM:
> 
>> on 05/02/2007 08:11 PM Oliver Boehmer (oboehmer) said the following:
>> {snip}
>>>> The goal is to use only the ISDN CLID for authentication. The remote
>>>> router will not be configured with any username/password
>>>> information. 
>>> Ok. May I ask the reason behind this?
>> We are implementing this service for a customer that manage the CPE
>> using a custom built interface (GUI that dials into the router and
>> configures the router). From what we know, the costs and times
>> associated with the change in the code are prohibitive.
> 
> And the code/GUI really deploys a dialer without any ppp authentication?
> This is quite unusual IMHO..
Unusual would be the right clinical term :-) But hey, Customer is always 
right.
> 
>>>> The document mentions that this is only supported on the AS53xx. Is
>>>> this support there on the 2811s as well? I tried the "aaa preauth"
>>>> command on couple of routers with 12.4.x IOS but the command is not
>>>> available. 
>>> Sorry, this feature is only available on the access servers in the
>>> AS5xxx family.
>> Can you think of any other way of implementing this? I was thinking
>> about the crazy idea of using 1200 "dialer caller" statements +
>> dynamic IP address assignment via a local pool. The dial part of the
> solution
>> is for backup services. The primary would be DSL.
> 
> Hmm, it really depends on how the remote site is set up. If they really
> can't do any ppp authentication, dialer caller statements is likely the
> only solution (if you can't do preauth), but provisioning will be a
> nightmare, I feel. No chance to get a AS5xxx and do preauth?
We already have 2811 and would prefer to use them. I will have to get 
the pricing info. on the AS5xxx and see if they would be in the budget.

> If they do ppp authentication, you could solve this on the Radius
> backend, depends on the Radius server you use (i.e. ignore any
> credentials and just use the CLID as check-item).
My plan is to speak to the customer about this and see if we can come to 
a feasible option. Maybe use same username/password on all the sites and 
then do a CLID check.

Thanks for all your help.

- Gaurav

More information about the cisco-nas mailing list