RADIUS Configuration Guide Cisco IOS XE Release 3S
AAA DNIS Map for Authorization
Downloads: This chapterpdf (PDF - 1.31MB) The complete bookPDF (PDF - 3.43MB) | The complete bookePub (ePub - 458.0KB) | Feedback

AAA DNIS Map for Authorization

The AAA DNIS Map for Authorization feature allows you to assign a Dialed Number Identification Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group so that the server group can process authentication, authorization, and accounting requests for users dialing in to the network using that particular DNIS. Any phone line (a regular home phone or a commercial T1/PRI line) can be associated with several phone numbers. The DNIS number identifies the number that was called to reach you.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for AAA DNIS Map for Authorization

  • Before configuring the device to select a particular AAA server group based on the DNIS of the server group, you must configure the list of RADIUS server hosts and AAA server groups.
  • Before configuring AAA preauthentication, you must configure the aaa new-model command and make sure that the supporting preauthentication application is running on a RADIUS server in your network.

Information About AAA DNIS Map for Authorization

AAA Server Group Selection Based on DNIS

Cisco software allows you to assign a DNIS number to a particular AAA server group so that the server group can process authentication, authorization, and accounting requests for users dialing in to the network using that particular DNIS. Any phone line (a regular home phone or a commercial T1/PRI line) can be associated with several phone numbers. The DNIS number identifies the number that was called to reach you.

For example, suppose you want to share the same phone number with several customers, but you want to know which customer is calling before you pick up the phone. You can customize how you answer the phone because DNIS allows you to know which customer is calling when you answer.

Cisco devices with either ISDN or internal modems can receive the DNIS number. This functionality allows users to assign different RADIUS server groups for different customers (that is, different RADIUS servers for different DNIS numbers). Additionally, using server groups, you can specify the same server group for AAA services or a separate server group for each AAA service.

Cisco software provides the flexibility to implement authentication and accounting services in several ways:

  • Globally—AAA services are defined using global configuration access list commands and applied in general to all interfaces on a specific network access server.
  • Per interface—AAA services are defined using interface configuration commands and applied specifically to the interface being configured on a specific network access server.
  • DNIS mapping—You can use DNIS to specify an AAA server to supply AAA services.

Because each of these AAA configuration methods can be configured simultaneously, Cisco has established an order of precedence to determine which server or groups of servers provide AAA services. The order of precedence is as follows:

  • Per DNIS—If you configure the network access server to use DNIS to identify or determine which server group provides AAA services, this method takes precedence over any additional AAA selection method.
  • Per interface—If you configure the network access server per interface to use access lists to determine how a server provides AAA services, this method takes precedence over any global configuration AAA access lists.
  • Globally—If you configure the network access server by using global AAA access lists to determine how the security server provides AAA services, this method has the least precedence.

AAA Preauthentication

Configuring AAA preauthentication with ISDN PRI or channel-associated signaling (CAS) allows service providers to better manage ports using their existing RADIUS solutions and efficiently manage the use of shared resources to offer differing service-level agreements. With ISDN PRI or CAS, information about an incoming call is available to the network access server (NAS) before the call is connected. The available call information includes the following:

  • The DNIS number, also referred to as the called number
  • The Calling Line Identification (CLID) number, also referred to as the calling number
  • The call type, also referred to as the bearer capability

The AAA preauthentication feature allows a Cisco NAS to decide--on the basis of the DNIS number, the CLID number, or the call type--whether to connect an incoming call. (With ISDN PRI, it enables user authentication and authorization before a call is answered. With CAS, the call must be answered; however, the call can be dropped if preauthentication fails.)

When an incoming call arrives from the public network switch, but before it is connected, AAA preauthentication enables the NAS to send the DNIS number, CLID number, and call type to a RADIUS server for authorization. If the server authorizes the call, the NAS accepts the call. If the server does not authorize the call, the NAS sends a disconnect message to the public network switch to reject the call.

In the event that the RADIUS server application becomes unavailable or is slow to respond, a guard timer can be set in the NAS. When the timer expires, the NAS uses a configurable parameter to accept or reject the incoming call that has no authorization.

The AAA preauthentication feature supports the use of attribute 44 by the RADIUS server application and the use of RADIUS attributes that are configured in the RADIUS preauthentication profiles to specify preauthentication behavior. They can also be used, for instance, to specify whether subsequent authentication should occur and, if so, what authentication method should be used.

The following restrictions apply to AAA preauthentication with ISDN PRI and CAS:

  • Attribute 44 is available for CAS calls only when preauthentication or resource pooling is enabled.
  • Multichassis Multilink PPP (MMP) is not available with ISDN PRI.
  • AAA preauthentication is available only on some hardware platforms.
  • ISDN PRI is supported only on some hardware platforms.

Guard Timer for Call Handling

Because response times for preauthentication and authentication requests can vary, the guard timer allows you to control the handling of calls. The guard timer starts when the DNIS is sent to the RADIUS server. If the NAS does not receive a response from AAA before the guard timer expires, it accepts or rejects the calls on the basis of the configuration of the timer.

How to Configure AAA DNIS Map for Authorization

Configuring AAA DNIS Preauthentication

DNIS preauthentication enables preauthentication at call setup based on the number dialed. The DNIS number is sent directly to the security server when a call is received. If the call authenticated by AAA, it is accepted.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    aaa preauthorization

    4.    group {radius | tacacs+ | server-group}

    5.    dnis [password string]

    6.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 aaa preauthorization


    Example:
    Device(config)# aaa preauthorization
     

    Enters AAA preauthentication configuration mode.

     
    Step 4 group {radius | tacacs+ | server-group}


    Example:
    Device(config-preauth)# group radius
     

    (Optional) Selects the security server to use for AAA preauthentication requests.

    • The default is RADIUS.
     
    Step 5 dnis [password string]


    Example:
    Device(config-preauth)# dnis password dnispass
     

    Enables preauthentication using DNIS and optionally specifies a password to use in Access-Request packets.

     
    Step 6 end


    Example:
    Device(config-preauth)# end
     

    Exits AAA preauthentication configuration mode and returns to privileged EXEC mode.

     

    Configuring AAA Server Group Selection Based on DNIS

    To configure the device to select a particular AAA server group based on the DNIS of the server group, configure DNIS mapping. To map a server group with a group name with a DNIS number, perform the following task.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    aaa dnis map enable

      4.    aaa dnis map dnis-number authentication ppp group server-group-name

      5.    aaa dnis map dnis-number authorization network group server-group-name

      6.    aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name

      7.    exit


    DETAILED STEPS
        Command or Action Purpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 aaa dnis map enable


      Example:
      Device(config)# aaa dnis map enable
       

      Enables DNIS mapping.

       
      Step 4 aaa dnis map dnis-number authentication ppp group server-group-name


      Example:
      Device(config)# aaa dnis map 7777 authentication ppp group sg1
       

      Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authentication.

       
      Step 5 aaa dnis map dnis-number authorization network group server-group-name


      Example:
      Device(config)# aaa dnis map 7777 authorization network group sg1
       

      Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authorization.

       
      Step 6 aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name


      Example:
      Device(config)# aaa dnis map 8888 accounting network stop-only group sg2
       

      Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for accounting.

       
      Step 7 exit


      Example:
      Device(config)# exit
       

      Exits global configuration mode and returns to privileged EXEC mode.

       

      Configuring AAA Preauthentication

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    aaa preauthorization

        4.    group server-group

        5.    clid [if-avail | required] [accept-stop] [password string]

        6.    ctype [if-avail | required] [accept-stop] [password string]

        7.    dnis [if-avail | required] [accept-stop] [password string]

        8.    dnis bypass dnis-group-name

        9.    end


      DETAILED STEPS
          Command or Action Purpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 aaa preauthorization


        Example:
        Device(config)# aaa preauthorization 
         

        Enters AAA preauthentication configuration mode.

         
        Step 4 group server-group


        Example:
        Device(config-preauth)# group sg2
         

        Specifies the AAA RADIUS server group to use for preauthentication.

         
        Step 5 clid [if-avail | required] [accept-stop] [password string]


        Example:
        Device(config-preauth)# clid required
         

        Preauthenticates calls on the basis of the CLID number.

         
        Step 6 ctype [if-avail | required] [accept-stop] [password string]


        Example:
        Device(config-preauth)# ctype required
         

        Preauthenticates calls on the basis of the call type.

         
        Step 7 dnis [if-avail | required] [accept-stop] [password string]


        Example:
        Device(config-preauth)# dnis required
         

        Preauthenticates calls on the basis of the DNIS number.

         
        Step 8 dnis bypass dnis-group-name


        Example:
        Device(config-preauth)# dnis bypass group1
         

        Specifies a group of DNIS numbers that will be bypassed for preauthentication.

         
        Step 9 end


        Example:
        Device(config-preauth)# end
         

        Exits preauthentication configuration mode and returns to privileged EXEC mode.

         

        Configuring a Guard Timer

        To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to an authentication or preauthentication request, perform the following task.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    interface type number

          4.    isdn guard-timer milliseconds [on-expiry {accept | reject}]

          5.    call guard-timer milliseconds [on-expiry {accept | reject}]

          6.    end


        DETAILED STEPS
            Command or Action Purpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 interface type number


          Example:
          Device(config)# interface serial 1/0/0:23
           

          Enters interface configuration mode.

           
          Step 4 isdn guard-timer milliseconds [on-expiry {accept | reject}]


          Example:
          Device(config-if)# isdn guard-timer 8000 on-expiry reject
           

          Sets an ISDN guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request.

           
          Step 5 call guard-timer milliseconds [on-expiry {accept | reject}]


          Example:
          Device(config-if)# call guard-timer 2000 on-expiry accept 
           

          Sets a CAS guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request.

           
          Step 6 end


          Example:
          Device(config-if)# end
           

          Exits interface configuration mode and returns to privileged EXEC mode.

           

          Configuration Examples for AAA DNIS Map for Authorization

          Example: AAA Server Group Selection Based on DNIS

          The following example shows how to select RADIUS server groups based on DNIS to provide specific AAA services:

          ! This command enables AAA.
          aaa new-model
          !
          ! The following set of commands configures the RADIUS attributes for each server
          ! that will be associated with one of the defined server groups.
          radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco1
          radius-server host 172.17.0.1 auth-port 1645 acct-port 1646 key cisco2
          radius-server host 172.18.0.1 auth-port 1645 acct-port 1646 key cisco3 
          radius-server host 172.19.0.1 auth-port 1645 acct-port 1646 key cisco4 
          radius-server host 172.20.0.1 auth-port 1645 acct-port 1646 key cisco5
          ! The following commands define the sg1 RADIUS server group and associate servers 
          ! with it.
          aaa group server radius sg1
            server 172.16.0.1
            server 172.17.0.1
          ! The following commands define the sg2 RADIUS server group and associate a server
          ! with it.
          aaa group server radius sg2
            server 172.18.0.1
          ! The following commands define the sg3 RADIUS server group and associate a server
          ! with it.
          aaa group server radius sg3
            server 172.19.0.1
          ! The following commands define the default-group RADIUS server group and associate
          ! a server with it.
          aaa group server radius default-group
            server 172.20.0.1
          ! The next set of commands configures default-group RADIUS server group parameters.
          aaa authentication ppp default group default-group
          aaa accounting network default start-stop group default-group
          !
          ! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined
          ! RADIUS server groups. In this configuration, all PPP connection requests using 
          ! DNIS 7777 are sent to the sg1 server group. The accounting records for these
          ! connections (specifically, start-stop records) are handled by the sg2 server group.
          ! Calls with a DNIS of 8888 use server group sg3 for authentication and server group
          ! default-group for accounting. Calls with a DNIS of 9999 use server group
          ! default-group for authentication and server group sg3 for accounting records
          ! (stop records only). All other calls with DNIS other than the ones defined use the
          ! server group default-group for both authentication and stop-start accounting records.
          aaa dnis map enable
          aaa dnis map 7777 authentication ppp group sg1
          aaa dnis map 7777 accounting network start-stop group sg2
          aaa dnis map 8888 authentication ppp group sg3
          aaa dnis map 9999 accounting network stop-only group sg3

          Examples: AAA Preauthentication

          The following is a simple configuration that specifies that the DNIS number be used for preauthentication:

          aaa preauthentication
           group radius
           dnis required

          The following example shows a configuration that specifies that both the DNIS number and the CLID number be used for preauthentication. DNIS preauthentication is performed first, followed by CLID preauthentication.

          aaa preauthentication
           group radius
           dnis required
           clid required
          

          The following example specifies that preauthentication be performed on all DNIS numbers except the two DNIS numbers specified in the DNIS group called “dnis-group1”:

          aaa preauthentication
           group radius
           dnis required
           dnis bypass dnis-group1
          dialer dnis group dnis-group1
           number 12345
           number 12346
          

          The following is a sample AAA configuration with DNIS preauthentication:

          aaa new-model
          aaa authentication login CONSOLE none
          aaa authentication login RADIUS_LIST group radius
          aaa authentication login TAC_PLUS group tacacs+ enable
          aaa authentication login V.120 none
          aaa authentication enable default enable group tacacs+
          aaa authentication ppp RADIUS_LIST if-needed group radius
          aaa authorization exec RADIUS_LIST group radius if-authenticated
          aaa authorization exec V.120 none
          aaa authorization network default group radius if-authenticated
          aaa authorization network RADIUS_LIST if-authenticated group radius
          aaa authorization network V.120 group radius if-authenticated
          aaa accounting suppress null-username
          aaa accounting exec default start-stop group radius
          aaa accounting commands 0 default start-stop group radius
          aaa accounting network default start-stop group radius
          aaa accounting connection default start-stop group radius
          aaa accounting system default start-stop group radius
          aaa preauthentication
           dnis password Cisco-DNIS
          aaa nas port extended
          !
          radius-server configure-nas
          radius-server host 10.0.0.0 auth-port 1645 acct-port 1646 non-standard
          radius-server host 10.255.255.255 auth-port 1645 acct-port 1646 non-standard
          radius-server retransmit 2
          radius-server deadtime 1
          radius-server attribute nas-port format c
          radius-server unique-ident 18
          radius-server key MyKey
          

          Note


          To configure preauthentication, you must also set up preauthentication profiles on the RADIUS server.


          Examples: Guard Timer for ISDN and CAS

          The following example shows an ISDN guard timer that is set at 8000 milliseconds. A call is rejected if the RADIUS server does not respond to a preauthentication request when the timer expires.

          interface serial 1/0/0:23
           isdn guard-timer 8000 on-expiry reject
          aaa preauthentication
           group radius
           dnis required
          

          The following example shows a CAS guard timer that is set at 20,000 milliseconds. A call is accepted if the RADIUS server does not respond to a preauthentication request when the timer expires.

          controller T1 0
           framing esf
           clock source line primary
           linecode b8zs
           ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis
           cas-custom 0
           call guard-timer 20000 on-expiry accept
          aaa preauthentication
          group radius
          dnis required

          Additional References

          Related Documents

          Related Topic

          Document Title

          Cisco IOS commands

          Cisco IOS Master Command List, All Releases

          AAA and RADIUS commands

          Cisco IOS Security Command Reference

          AAA

          Authentication, Authorization, and Accounting Configuration Guide (part of the Securing User Services Configuration Library)

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for AAA DNIS Map for Authorization

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 1 Feature Information for AAA DNIS Map for Authorization

          Feature Name

          Releases

          Feature Information

          AAA DNIS Map for Authorization

          12.1(1)T

          12.2(2)T

          12.2(27)SBA

          Cisco IOS XE Release 2.3

          The AAA DNIS Map for Authorization feature allows you to assign a Dialed Number Identification Service (DNIS) number to a particular AAA server group so that the server group can process authentication, authorization, and accounting requests for users dialing in to the network using that particular DNIS. Any phone line (a regular home phone or a commercial T1/ PRI line) can be associated with several phone numbers. The DNIS number identifies the number that was called to reach you.

          The following commands were introduced or modified: aaa dnis enable, aaa dnis map authentication group, aaa dnis map authorization network group, and aaa dnis map accounting network.