Mailing List Archive

ISDN Authentication using Caller ID
I am trying to setup something described at
http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_configuration_example09186a00800949ee.shtml

To extend beyond, I would like to authenticate the dialin clients
against the Calling-Station-ID RADIUS attribute and assign them IP
addresses from a dynamic pool. This is on a Cisco 2811 router.

Can somebody please tell me if this is possible and provide me with a
sample configuration?

Thanks,
- Gaurav
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
Gaurav Sabharwal <> wrote on Wednesday, May 02, 2007 8:33 AM:

> I am trying to setup something described at
>
http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_config
uration_example09186a00800949ee.shtml
>
> To extend beyond, I would like to authenticate the dialin clients
> against the Calling-Station-ID RADIUS attribute and assign them IP
> addresses from a dynamic pool. This is on a Cisco 2811 router.
>
> Can somebody please tell me if this is possible and provide me with a
> sample configuration?

Do you *only* want to the ISDN caller-id (CLID) for authentication, i.e.
no PPP chap/pap phase? If you want to add the CLID as additional
authentication to PPP username/password, just add the Calling-Station-ID
as an additional check-item to your Radius user record. Depending on the
Radius server, you might even ignore the PPP credentials on the Radius,
and return Access-Accept as soon as the CLID matches.

If your Radius server is not able to do this, you can use ISDN
Pre-authentication
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newf
t/121t/121t2/dtpreaut.htm). With this feature (not available on all
platforms), the NAS will send an access-request to the Radius right
after the ISDN call comes in (before it is established and PPP starts)
using the CLID or the DNIS as the username, and the Radius server can
return a profile telling the NAS to skip any subsequent authentication.

oli

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
on 05/02/2007 04:22 PM Oliver Boehmer (oboehmer) said the following:
> Gaurav Sabharwal <> wrote on Wednesday, May 02, 2007 8:33 AM:
>
>> I am trying to setup something described at
>>
> http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_config
> uration_example09186a00800949ee.shtml
>> To extend beyond, I would like to authenticate the dialin clients
>> against the Calling-Station-ID RADIUS attribute and assign them IP
>> addresses from a dynamic pool. This is on a Cisco 2811 router.
>>
>> Can somebody please tell me if this is possible and provide me with a
>> sample configuration?
>
> Do you *only* want to the ISDN caller-id (CLID) for authentication, i.e.
> no PPP chap/pap phase? If you want to add the CLID as additional
> authentication to PPP username/password, just add the Calling-Station-ID
> as an additional check-item to your Radius user record. Depending on the
> Radius server, you might even ignore the PPP credentials on the Radius,
> and return Access-Accept as soon as the CLID matches.
The goal is to use only the ISDN CLID for authentication. The remote
router will not be configured with any username/password information.

> If your Radius server is not able to do this, you can use ISDN
> Pre-authentication
> (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newf
> t/121t/121t2/dtpreaut.htm). With this feature (not available on all
> platforms), the NAS will send an access-request to the Radius right
> after the ISDN call comes in (before it is established and PPP starts)
> using the CLID or the DNIS as the username, and the Radius server can
> return a profile telling the NAS to skip any subsequent authentication.
The document mentions that this is only supported on the AS53xx. Is this
support there on the 2811s as well? I tried the "aaa preauth" command on
couple of routers with 12.4.x IOS but the command is not available.

Thanks,
- Gaurav
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
Gaurav Sabharwal <mailto:gaurav@inwire.net> wrote on Wednesday, May 02,
2007 5:42 PM:

> on 05/02/2007 04:22 PM Oliver Boehmer (oboehmer) said the following:
>> Gaurav Sabharwal <> wrote on Wednesday, May 02, 2007 8:33 AM:
>>
>>> I am trying to setup something described at
>>>
>>
http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_config
>> uration_example09186a00800949ee.shtml
>>> To extend beyond, I would like to authenticate the dialin clients
>>> against the Calling-Station-ID RADIUS attribute and assign them IP
>>> addresses from a dynamic pool. This is on a Cisco 2811 router.
>>>
>>> Can somebody please tell me if this is possible and provide me with
>>> a sample configuration?
>>
>> Do you *only* want to the ISDN caller-id (CLID) for authentication,
>> i.e. no PPP chap/pap phase? If you want to add the CLID as additional
>> authentication to PPP username/password, just add the
>> Calling-Station-ID as an additional check-item to your Radius user
>> record. Depending on the Radius server, you might even ignore the
>> PPP credentials on the Radius, and return Access-Accept as soon as
>> the CLID matches.
>
> The goal is to use only the ISDN CLID for authentication. The remote
> router will not be configured with any username/password information.

Ok. May I ask the reason behind this?

>> If your Radius server is not able to do this, you can use ISDN
>> Pre-authentication
>>
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newf
>> t/121t/121t2/dtpreaut.htm). With this feature (not available on all
>> platforms), the NAS will send an access-request to the Radius right
>> after the ISDN call comes in (before it is established and PPP
>> starts) using the CLID or the DNIS as the username, and the Radius
>> server can return a profile telling the NAS to skip any subsequent
>> authentication.
>
> The document mentions that this is only supported on the AS53xx. Is
> this support there on the 2811s as well? I tried the "aaa preauth"
command
> on couple of routers with 12.4.x IOS but the command is not available.

Sorry, this feature is only available on the access servers in the
AS5xxx family.

oli

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
on 05/02/2007 08:11 PM Oliver Boehmer (oboehmer) said the following:
{snip}
>> The goal is to use only the ISDN CLID for authentication. The remote
>> router will not be configured with any username/password information.
>
> Ok. May I ask the reason behind this?
We are implementing this service for a customer that manage the CPE
using a custom built interface (GUI that dials into the router and
configures the router). From what we know, the costs and times
associated with the change in the code are prohibitive.

{snip}
>> The document mentions that this is only supported on the AS53xx. Is
>> this support there on the 2811s as well? I tried the "aaa preauth"
> command
>> on couple of routers with 12.4.x IOS but the command is not available.
>
> Sorry, this feature is only available on the access servers in the
> AS5xxx family.
Can you think of any other way of implementing this? I was thinking
about the crazy idea of using 1200 "dialer caller" statements + dynamic
IP address assignment via a local pool. The dial part of the solution is
for backup services. The primary would be DSL.

- Gaurav

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
If you have only one mad customer you dont need a huntgroup. Make a
default entry:

DEFAULT Calling-Station-Id == hisnumber, Auth-Type:= Accept
Framed-IP-Address = a.b.c.d,
etc.

Ivan Kalik
Kalik Informatika ISP


Dana 2/5/2007, "Gaurav Sabharwal" <gaurav@inwire.net> pi¹e:

>The customer does not wants any username/password on the dialer
>interface so we are stuck to using caller-id as the only authentication
>method. As I mentioned on the list, preauth seems to be available only
>on the AS53xx series.
>
>Can you point towards the huntgroups that you mention in the email?
>
>Thanks,
>- Gaurav
>on 05/02/2007 04:07 PM tnt@kalik.co.yu said the following:
>> aaa authentication ppp default
>>
>> You are not sending radius requests. ppp users will be authenticated
>> localy. You need to send auth to group radius. But get it to work first
>> with a local user. Then make entry for that user in radius. Then change
>> user to MAC authentication. Go step by step and you will get there much
>> quicker.
>>
>> If you want just MAC filtering (no user/pass, just a list od acceptable
>> callerIDs) then you need to use preauth on cisco. Or some extravagant
>> huntgroups in radius.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> Dana 2/5/2007, "Gaurav Sabharwal" <gaurav@inwire.net> pi¹e:
>>
>>> Ivan,
>>>
>>> Thanks for the reply. I tried to configure the router for PAP
>>> authentication and the RADIUS server as you mentioned but I do not see
>>> any packets coming to the RADIUS server.
>>>
>>> The setup seems to be failing during the LCP phase. For PAP
>>> authentication, don't I need to setup the username/password on the
>>> client side? This is what I am trying to avoid.
>>>
>>> Below is the relevant configuration:
>>>
>>> NAS:
>>> aaa new-model
>>> !
>>> aaa authentication ppp default
>>> !
>>> interface BRI1/0
>>> no ip address
>>> encapsulation ppp
>>> dialer pool-member 1
>>> isdn switch-type basic-net3
>>> isdn point-to-point-setup
>>> !
>>> interface Dialer1
>>> ip unnumbered Loopback0
>>> encapsulation ppp
>>> dialer pool 1
>>> dialer-group 1
>>> no peer default ip address
>>> ppp authentication pap
>>> !
>>> radius-server attribute 8 include-in-access-req
>>> radius-server host 192.168.1.1 auth-port 1645 acct-port 1646
>>> radius-server key test01
>>> radius-server vsa send accounting
>>> radius-server vsa send authentication
>>>
>>> Client Side:
>>> !
>>> interface BRI0
>>> no ip address
>>> encapsulation ppp
>>> dialer pool-member 2
>>> dialer pool-member 3
>>> isdn switch-type basic-net3
>>> isdn point-to-point-setup
>>> no fair-queue
>>> no cdp enable
>>> !
>>> interface Dialer3
>>> ip address negotiated
>>> encapsulation ppp
>>> dialer pool 3
>>> dialer string 06155822147
>>> dialer-group 3
>>> no cdp enable
>>>
>>> Logs from the NAS:
>>> *Mar 1 18:31:11.699: %DIALER-6-BIND: Interface BR1/0:1 bound to profile Di1
>>> *Mar 1 18:31:11.707: %LINK-3-UPDOWN: Interface BRI1/0:1, changed state
>>> to up
>>> *Mar 1 18:31:11.707: %ISDN-6-CONNECT: Interface BRI1/0:1 is now
>>> connected to 6155667136 N/A
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Using dialer call direction
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Treating connection as a callin
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Session handle[C300008C] Session id[114]
>>> *Mar 1 18:31:11.715: BR1/0:1 PPP: Phase is ESTABLISHING, Passive Open
>>> *Mar 1 18:31:11.715: BR1/0:1 LCP: State is Listen
>>> *Mar 1 18:31:11.931: BR1/0:1 LCP: I CONFREQ [Listen] id 42 len 10
>>> *Mar 1 18:31:11.935: BR1/0:1 LCP: MagicNumber 0x1829BF38
>>> (0x05061829BF38)
>>> *Mar 1 18:31:11.935: BR1/0:1 LCP: O CONFREQ [Listen] id 239 len 14
>>>
>>>
>>> Thanks,
>>> - Gaurav
>>>
>>> on 05/02/2007 01:44 PM tnt@kalik.co.yu said the following:
>>>> It's possible without doing anything on your router. Just replace
>>>> User-Name with Calling-Station-ID on your radius server. For Freeradius
>>>> make a users file entry:
>>>>
>>>> DEFAULT User-Name:=Calling-Station-ID
>>>>
>>>> and place it in front of your user entries. Warning: this won't work
>>>> with encrypted protocols, only PAP.
>>>>
>>>> Ivan Kalik
>>>> Kalik Informatika ISP
>>>>
>>>>
>>>> Dana 2/5/2007, "Gaurav Sabharwal" <gaurav@inwire.net> pi¹e:
>>>>
>>>>> I am trying to setup something described at
>>>>> http://www.cisco.com/en/US/customer/tech/tk801/tk379/technologies_configuration_example09186a00800949ee.shtml
>>>>>
>>>>> To extend beyond, I would like to authenticate the dialin clients
>>>>> against the Calling-Station-ID RADIUS attribute and assign them IP
>>>>> addresses from a dynamic pool. This is on a Cisco 2811 router.
>>>>>
>>>>> Can somebody please tell me if this is possible and provide me with a
>>>>> sample configuration?
>>>>>
>>>>> Thanks,
>>>>> - Gaurav
>>>>> _______________________________________________
>>>>> cisco-nas mailing list
>>>>> cisco-nas@puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nas
>>>>>
>>>>>
>>>
>>>
>>
>
>
>

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
Gaurav Sabharwal <mailto:gaurav@inwire.net> wrote on Wednesday, May 02,
2007 8:32 PM:

> on 05/02/2007 08:11 PM Oliver Boehmer (oboehmer) said the following:
> {snip}
>>> The goal is to use only the ISDN CLID for authentication. The remote
>>> router will not be configured with any username/password
>>> information.
>>
>> Ok. May I ask the reason behind this?
> We are implementing this service for a customer that manage the CPE
> using a custom built interface (GUI that dials into the router and
> configures the router). From what we know, the costs and times
> associated with the change in the code are prohibitive.

And the code/GUI really deploys a dialer without any ppp authentication?
This is quite unusual IMHO..

>>> The document mentions that this is only supported on the AS53xx. Is
>>> this support there on the 2811s as well? I tried the "aaa preauth"
>>> command on couple of routers with 12.4.x IOS but the command is not
>>> available.
>>
>> Sorry, this feature is only available on the access servers in the
>> AS5xxx family.
> Can you think of any other way of implementing this? I was thinking
> about the crazy idea of using 1200 "dialer caller" statements +
> dynamic IP address assignment via a local pool. The dial part of the
solution
> is for backup services. The primary would be DSL.

Hmm, it really depends on how the remote site is set up. If they really
can't do any ppp authentication, dialer caller statements is likely the
only solution (if you can't do preauth), but provisioning will be a
nightmare, I feel. No chance to get a AS5xxx and do preauth?

If they do ppp authentication, you could solve this on the Radius
backend, depends on the Radius server you use (i.e. ignore any
credentials and just use the CLID as check-item)..

oli

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
on 05/03/2007 12:37 AM Oliver Boehmer (oboehmer) said the following:
> Gaurav Sabharwal <mailto:gaurav@inwire.net> wrote on Wednesday, May 02,
> 2007 8:32 PM:
>
>> on 05/02/2007 08:11 PM Oliver Boehmer (oboehmer) said the following:
>> {snip}
>>>> The goal is to use only the ISDN CLID for authentication. The remote
>>>> router will not be configured with any username/password
>>>> information.
>>> Ok. May I ask the reason behind this?
>> We are implementing this service for a customer that manage the CPE
>> using a custom built interface (GUI that dials into the router and
>> configures the router). From what we know, the costs and times
>> associated with the change in the code are prohibitive.
>
> And the code/GUI really deploys a dialer without any ppp authentication?
> This is quite unusual IMHO..
Unusual would be the right clinical term :-) But hey, Customer is always
right.
>
>>>> The document mentions that this is only supported on the AS53xx. Is
>>>> this support there on the 2811s as well? I tried the "aaa preauth"
>>>> command on couple of routers with 12.4.x IOS but the command is not
>>>> available.
>>> Sorry, this feature is only available on the access servers in the
>>> AS5xxx family.
>> Can you think of any other way of implementing this? I was thinking
>> about the crazy idea of using 1200 "dialer caller" statements +
>> dynamic IP address assignment via a local pool. The dial part of the
> solution
>> is for backup services. The primary would be DSL.
>
> Hmm, it really depends on how the remote site is set up. If they really
> can't do any ppp authentication, dialer caller statements is likely the
> only solution (if you can't do preauth), but provisioning will be a
> nightmare, I feel. No chance to get a AS5xxx and do preauth?
We already have 2811 and would prefer to use them. I will have to get
the pricing info. on the AS5xxx and see if they would be in the budget.

> If they do ppp authentication, you could solve this on the Radius
> backend, depends on the Radius server you use (i.e. ignore any
> credentials and just use the CLID as check-item).
My plan is to speak to the customer about this and see if we can come to
a feasible option. Maybe use same username/password on all the sites and
then do a CLID check.

Thanks for all your help.

- Gaurav

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN Authentication using Caller ID [ In reply to ]
Gaurav Sabharwal <mailto:gaurav@inwire.net> wrote on Thursday, May 03,
2007 12:52 AM:

>> If they do ppp authentication, you could solve this on the Radius
>> backend, depends on the Radius server you use (i.e. ignore any
>> credentials and just use the CLID as check-item).
>
> My plan is to speak to the customer about this and see if we can come
> to a feasible option. Maybe use same username/password on all the
sites
> and then do a CLID check.

Yes, the same username/password on all sites and CLID check on the
Radius would be a feasible solution.
If you want to offer multilink-PPP as well, make sure you configure
"multilink bundle-name both" on your end..

oli

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas