Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Authentication Protocols

Cisco Secure for Windows / UNIX and Cisco Access Registrar with CLID and DNIS Configuration Example

Downloads

Document ID: 25703


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configure User Authentication, CLID Verification, and Preauthentication
      Configure IOS
      Configure Cisco Secure ACS for Windows 3.1
      Configure Cisco Secure ACS for UNIX 2.3.6(2)
      Configure Cisco Access Registrar 3.0P10
Verify
Troubleshoot
      Debugs
      Troubleshooting Commands
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document provides information on how to configure Calling Line Identification (CLID) / Dialed Number Identification Service (DNIS) in conjunction with the username and as a single authentication method. CLID / DNIS can be used in conjunction with a username to permit / deny the callers by CLID, DNIS, or both. It can also be used as a single mechanism to authenticate the call in an authentication, authorization, and accounting (AAA) preauthentication manner.

Note: AAA preauthentication is available only on the Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.

Prerequisites

Requirements

Before attempting this configuration, ensure that you are familar with these concepts:

  • RADIUS

  • AAA configuration for Cisco IOSĀ® software

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS Software Release 12.2(16)

  • Cisco Secure ACS for UNIX 2.3(2)

  • Cisco Secure ACS for Windows 3.1

  • Cisco Access Registrar 3.0P10

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure User Authentication, CLID Verification, and Preauthentication

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Configure IOS

User Authentication and CLID Verification

Note: This document is not intended to be a best practice AAA configuration guide. Instead, it provides you with information on how to configure the RADIUS server.

aaa new-model
!
aaa authentication ppp hsa group radius
aaa authorization network hsa group radius
aaa accounting network default start-stop group radius

interface Serial7/0:15
ip address 15.15.15.10 255.255.255.0
encapsulation ppp
isdn switch-type primary-net5
ppp authentication chap callin hsa
ppp authorization hsa

IOS Configuration and Preauthentication

  • CLID 

    aaa new-model
!
aaa authentication ppp hsa group radius
aaa authorization network hsa group radius
aaa accounting network default start-stop group radius
aaa preauth
group radius
clid required password cisco

  • DNIS 

    aaa new-model
!
aaa authentication ppp hsa group radius
aaa authorization network hsa group radius
aaa accounting network default start-stop group radius
aaa preauth
group radius
dnis required password cisco

Configure Cisco Secure ACS for Windows 3.1

User Authentication and CLID Verification

Either create a new user or find a user to which you would like to add CLID verification. In either case, ensure the user is able to authenticate without CLID verification before you proceed. Once this testing is successful, select User Setup, then scroll down to Network Access Restrictions (NAR).

Specify the AAA Clients, add the port (a specific dialin line), the CLID (caller ID or caller's number) and the DNIS (the called number) to complete the fields. Here, the asterisk (*) can be used as a wildcard to expand any character or any number of timers. The question mark (?) can be used as a wildcard for any one character at the position it is found.

Click Submit.

acs-clid-01.gif

Note: This configuration is also available on a group level.

Preauthentication

This is the configuration needed for both CLID and DNIS authentication.

acs-clid-02.gif

Configure Cisco Secure ACS for UNIX 2.3.6(2)

User Authentication and CLID Verification 

User Profile Information
user = jdoe{
profile_id = 22
profile_cycle = 7
password = chap "********"
default service=permit
radius=IETF {
check_items= {
6=2
7=1
31=8551
}
}
}

Note: There is no wildcard support in Cisco Secure ACS for Windows.

Preauthentication 

User Profile Information
user = 8551{
profile_id = 24
profile_cycle = 2
password = clear "********"
radius=Cisco12.05 {
reply_attributes= {
6=5
7=1
9,1="preauth:service-type=2"
9,1="preauth:auth-required=0"
}
}

Configure Cisco Access Registrar 3.0P10

User Authentication and CLID Verification 

[ //localhost/Radius/UserLists/Default/jdoe ]
Name = jdoe
Description =
Password = <encrypted>
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ = default-PPP-users
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
Attributes/
CheckItems/

--> cd checkItems/

[ //localhost/Radius/UserLists/Default/jdoe/CheckItems ]
Calling-Station-Id = 8551

Note: Cisco Access Registrar can use scripts to wildcard the string, but it is not easily done under the Check Items configuration.

Preauthentication 

[ //localhost/Radius/UserLists/Default/8551 ]
Name = 8551
Description =
Password = <encrypted>
Enabled = TRUE
Group~ =
BaseProfile~ =
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
AllowNullPassword = FALSE
Attributes/
CheckItems/

--> cd attributes/

[ //localhost/Radius/UserLists/Default/8551/Attributes ]
cisco-avpair = preauth:auth-required=0
cisco-avpair = preauth:service-type=2
Framed-Protocol = PPP
Service-Type = outbound

--> cd ../checkItems/

[ //localhost/Radius/UserLists/Default/8551/CheckItems ]

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Debugs

User Authentication and CLID Verification - Working 

nada#debug aaa authentication
AAA Authentication debugging is on
nada#debug radius
Radius protocol debugging is on
nada#terminal monitor
nada#
*May 12 14:16:59.467: %LINK-3-UPDOWN: Interface Serial7/0:21, changed
state to up
*May 12 14:17:00.915: AAA: parse name=Serial7/0:21 idb type=13 tty=-1
*May 12 14:17:00.915: AAA: name=Serial7/0:21 flags=0x55 type=1 shelf=0
slot=7 adapter=0 port=0 channel=21
*May 12 14:17:00.915: AAA: parse name=<no string> idb type=-1 tty=-1
*May 12 14:17:00.915: AAA/MEMORY: create_user (0x6340A7E8) user='jdoe'
ruser='NULL' ds0=117440533 port='Serial7/0:21' rem_addr='8551/7070'
authen_type=CHAP service=PPP priv=1 initial_task_id='0'
*May 12 14:17:00.915: AAA/AUTHEN/START (4032587918): port='Serial7/0:21'
list='hsa' action=LOGIN service=PPP
*May 12 14:17:00.915: AAA/AUTHEN/START (4032587918): found list hsa
*May 12 14:17:00.915: AAA/AUTHEN/START (4032587918): Method=radius
(radius)
*May 12 14:17:00.915: RADIUS: ustruct sharecount=2
*May 12 14:17:00.915: Radius: radius_port_info() success=1
radius_nas_port=1
*May 12 14:17:00.979: RADIUS: Initial Transmit Serial7/0:21 id 4
10.48.66.26:1645, Access-Request, len 89
*May 12 14:17:00.979: Attribute 4 6 0A304A80
*May 12 14:17:00.979: Attribute 5 6 00004E35
*May 12 14:17:00.979: Attribute 61 6 00000002
*May 12 14:17:00.979: Attribute 1 8 6D757264
*May 12 14:17:00.979: Attribute 30 6 37303730
*May 12 14:17:00.979: Attribute 31 6 38353531
*May 12 14:17:00.979: Attribute 3 19 01E35833
*May 12 14:17:00.979: Attribute 6 6 00000002
*May 12 14:17:00.979: Attribute 7 6 00000001
*May 12 14:17:01.159: RADIUS: Received from id 4 10.48.66.26:1645,
Access-Accept, len 20
*May 12 14:17:01.279: AAA/AUTHEN (4032587918): status = PASS
*May 12 14:17:01.403: RADIUS: ustruct sharecount=3
*May 12 14:17:01.403: Radius: radius_port_info() success=1
radius_nas_port=1
*May 12 14:17:01.883: RADIUS: Initial Transmit Serial7/0:21 id 5
10.48.66.26:1646, Accounting-Request, len 98
*May 12 14:17:01.883: Attribute 4 6 0A304A80
*May 12 14:17:01.883: Attribute 5 6 00004E35
*May 12 14:17:01.883: Attribute 61 6 00000002
*May 12 14:17:01.883: Attribute 1 8 6D757264
*May 12 14:17:01.883: Attribute 30 6 37303730
*May 12 14:17:01.883: Attribute 31 6 38353531
*May 12 14:17:01.883: Attribute 40 6 00000001
*May 12 14:17:01.883: Attribute 45 6 00000001
*May 12 14:17:01.887: Attribute 6 6 00000002
*May 12 14:17:01.887: Attribute 44 10 00000003
*May 12 14:17:01.887: Attribute 7 6 00000001
*May 12 14:17:01.887: Attribute 41 6 00000000
*May 12 14:17:02.247: RADIUS: Received from id 5 10.48.66.26:1646,
Accounting-response, len 20
*May 12 14:17:02.367: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial7/0:21, changed state to up
*May 12 14:17:05.519: %ISDN-6-CONNECT: Interface Serial7/0:21 is now
connected to 8551 jdoe
nada#

User Authentication and CLID Verification - Not Working 

nada#
*May 12 14:30:17.663: %LINK-3-UPDOWN: Interface Serial7/0:24, changed
state to up
*May 12 14:30:19.051: AAA: parse name=Serial7/0:24 idb type=13 tty=-1
*May 12 14:30:19.051: AAA: name=Serial7/0:24 flags=0x55 type=1 shelf=0
slot=7 adapter=0 port=0 channel=24
*May 12 14:30:19.051: AAA: parse name=<no string> idb type=-1 tty=-1
*May 12 14:30:19.051: AAA/MEMORY: create_user (0x6342C374) user='jdoe'
ruser='NULL' ds0=117440536 port='Serial7/0:24' rem_addr='8551/7070'
authen_type=CHAP service=PPP priv=1 initial_task_id='0'
*May 12 14:30:19.051: AAA/AUTHEN/START (2387015397): port='Serial7/0:24'
list='hsa' action=LOGIN service=PPP
*May 12 14:30:19.051: AAA/AUTHEN/START (2387015397): found list hsa
*May 12 14:30:19.051: AAA/AUTHEN/START (2387015397): Method=radius
(radius)
*May 12 14:30:19.051: RADIUS: ustruct sharecount=2
*May 12 14:30:19.051: Radius: radius_port_info() success=1
radius_nas_port=1
*May 12 14:30:19.111: RADIUS: Initial Transmit Serial7/0:24 id 10
10.48.66.26:1645, Access-Request, len 89
*May 12 14:30:19.111: Attribute 4 6 0A304A80
*May 12 14:30:19.111: Attribute 5 6 00004E38
*May 12 14:30:19.115: Attribute 61 6 00000002
*May 12 14:30:19.115: Attribute 1 8 6D757264
*May 12 14:30:19.115: Attribute 30 6 37303730
*May 12 14:30:19.115: Attribute 31 6 38353531
*May 12 14:30:19.115: Attribute 3 19 01B1F982
*May 12 14:30:19.115: Attribute 6 6 00000002
*May 12 14:30:19.115: Attribute 7 6 00000001
*May 12 14:30:19.235: RADIUS: Received from id 10 10.48.66.26:1645,
Access-Reject, len 20
*May 12 14:30:19.415: AAA/AUTHEN (2387015397): status = FAIL
*May 12 14:30:19.415: AAA/MEMORY: free_user (0x6342C374) user='jdoe'
ruser='NULL' port='Serial7/0:24' rem_addr='8551/7070' authen_type=CHAP
service=PPP priv=1
*May 12 14:30:19.839: %ISDN-6-CONNECT: Interface Serial7/0:24 is now
connected to 8551
*May 12 14:30:19.839: %ISDN-6-DISCONNECT: Interface Serial7/0:24
disconnected from 8551 , call lasted 2 seconds
*May 12 14:30:20.743: %LINK-3-UPDOWN: Interface Serial7/0:24, changed
state to down
*May 12 14:30:22.131: %LINK-3-UPDOWN: Interface Serial7/0:25, changed
state to up
*May 12 14:30:23.887: AAA: parse name=Serial7/0:25 idb type=13 tty=-1
*May 12 14:30:23.887: AAA: name=Serial7/0:25 flags=0x55 type=1 shelf=0
slot=7 adapter=0 port=0 channel=25
*May 12 14:30:23.887: AAA: parse name=<no string> idb type=-1 tty=-1
*May 12 14:30:23.887: AAA/MEMORY: create_user (0x6342B7D8) user='jdoe'
ruser='NULL' ds0=117440537 port='Serial7/0:25' rem_addr='8551/7070'
authen_type=CHAP service=PPP priv=1 initial_task_id='0'
*May 12 14:30:23.887: AAA/AUTHEN/START (1401461304): port='Serial7/0:25'
list='hsa' action=LOGIN service=PPP
*May 12 14:30:23.891: AAA/AUTHEN/START (1401461304): found list hsa
*May 12 14:30:23.891: AAA/AUTHEN/START (1401461304): Method=radius
(radius)
*May 12 14:30:23.891: RADIUS: ustruct sharecount=2
*May 12 14:30:23.891: Radius: radius_port_info() success=1
radius_nas_port=1
*May 12 14:30:24.011: RADIUS: Initial Transmit Serial7/0:25 id 11
10.48.66.26:1645, Access-Request, len 89
*May 12 14:30:24.011: Attribute 4 6 0A304A80
*May 12 14:30:24.011: Attribute 5 6 00004E39
*May 12 14:30:24.011: Attribute 61 6 00000002
*May 12 14:30:24.011: Attribute 1 8 6D757264
*May 12 14:30:24.011: Attribute 30 6 37303730
*May 12 14:30:24.011: Attribute 31 6 38353531
*May 12 14:30:24.011: Attribute 3 19 01570F22
*May 12 14:30:24.011: Attribute 6 6 00000002
*May 12 14:30:24.011: Attribute 7 6 00000001
*May 12 14:30:24.131: RADIUS: Received from id 11 10.48.66.26:1645,
Access-Reject, len 20
*May 12 14:30:24.319: AAA/AUTHEN (1401461304): status = FAIL
*May 12 14:30:24.319: AAA/MEMORY: free_user (0x6342B7D8) user='jdoe'
ruser='NULL' port='Serial7/0:25' rem_addr='8551/7070' authen_type=CHAP
service=PPP priv=1
*May 12 14:30:24.803: %ISDN-6-CONNECT: Interface Serial7/0:25 is now
connected to 8551
*May 12 14:30:24.803: %ISDN-6-DISCONNECT: Interface Serial7/0:25
disconnected from 8551 , call lasted 2 seconds
*May 12 14:30:26.075: %LINK-3-UPDOWN: Interface Serial7/0:25, changed
state to down
*May 12 14:30:26.075: %LINK-3-UPDOWN: Interface Serial7/0:26, changed
state to up
*May 12 14:30:28.067: AAA: parse name=Serial7/0:26 idb type=13 tty=-1
*May 12 14:30:28.067: AAA: name=Serial7/0:26 flags=0x55 type=1 shelf=0
slot=7 adapter=0 port=0 channel=26
*May 12 14:30:28.067: AAA: parse name=<no string> idb type=-1 tty=-1
*May 12 14:30:28.067: AAA/MEMORY: create_user (0x6342BC60) user='jdoe'
ruser='NULL' ds0=117440538 port='Serial7/0:26' rem_addr='8551/7070'
authen_type=CHAP service=PPP priv=1 initial_task_id='0'
*May 12 14:30:28.067: AAA/AUTHEN/START (3875139579): port='Serial7/0:26'
list='hsa' action=LOGIN service=PPP
*May 12 14:30:28.067: AAA/AUTHEN/START (3875139579): found list hsa
*May 12 14:30:28.067: AAA/AUTHEN/START (3875139579): Method=radius
(radius)
*May 12 14:30:28.067: RADIUS: ustruct sharecount=2
*May 12 14:30:28.067: Radius: radius_port_info() success=1
radius_nas_port=1
*May 12 14:30:28.127: RADIUS: Initial Transmit Serial7/0:26 id 12
10.48.66.26:1645, Access-Request, len 89
*May 12 14:30:28.127: Attribute 4 6 0A304A80
*May 12 14:30:28.127: Attribute 5 6 00004E3A
*May 12 14:30:28.127: Attribute 61 6 00000002
*May 12 14:30:28.127: Attribute 1 8 6D757264
*May 12 14:30:28.127: Attribute 30 6 37303730
*May 12 14:30:28.127: Attribute 31 6 38353531
*May 12 14:30:28.127: Attribute 3 19 015AC1DA
*May 12 14:30:28.127: Attribute 6 6 00000002
*May 12 14:30:28.127: Attribute 7 6 00000001
*May 12 14:30:28.247: RADIUS: Received from id 12 10.48.66.26:1645,
Access-Reject, len 20
*May 12 14:30:28.427: AAA/AUTHEN (3875139579): status = FAIL
*May 12 14:30:28.431: AAA/MEMORY: free_user (0x6342BC60) user='jdoe'
ruser='NULL' port='Serial7/0:26' rem_addr='8551/7070' authen_type=CHAP
service=PPP priv=1
*May 12 14:30:28.851: %ISDN-6-CONNECT: Interface Serial7/0:26 is now
connected to 8551
*May 12 14:30:28.851: %ISDN-6-DISCONNECT: Interface Serial7/0:26
disconnected from 8551 , call lasted 2 seconds
*May 12 14:30:29.815: %LINK-3-UPDOWN: Interface Serial7/0:26, changed
state to down
nada#

Preauthentication 

nada#
*May 12 17:11:08.207: AAA: parse name=Serial7/0:20 idb type=-1 tty=-1
*May 12 17:11:08.207: AAA: name=Serial7/0:20 flags=0x55 type=1 shelf=0
slot=7 adapter=0 port=0 channel=20
*May 12 17:11:08.207: AAA: parse name=<no string> idb type=-1 tty=-1
*May 12 17:11:08.207: AAA/MEMORY: create_user (0x6308590C) user='7070'
ruser='NULL' ds0=0 port='Serial7/0:20' rem_addr='8551/7070'
authen_type=ASCII service=LOGIN priv=1 initial_task_id='0'
*May 12 17:11:08.207: RADIUS: authenticating to get author data
*May 12 17:11:08.207: RADIUS: ustruct sharecount=2
*May 12 17:11:08.207: Radius: radius_port_info() success=1
radius_nas_port=1
*May 12 17:11:08.635: RADIUS: Initial Transmit Serial7/0:20 id 84
10.48.71.227:1645, Access-Request, len 80
*May 12 17:11:08.635: Attribute 4 6 0A304A80
*May 12 17:11:08.635: Attribute 5 6 00004E34
*May 12 17:11:08.635: Attribute 61 6 00000002
*May 12 17:11:08.635: Attribute 1 6 37303730
*May 12 17:11:08.635: Attribute 30 6 37303730
*May 12 17:11:08.635: Attribute 31 6 38353531
*May 12 17:11:08.635: Attribute 2 18 673A18EE
*May 12 17:11:08.635: Attribute 6 6 00000005
*May 12 17:11:08.695: RADIUS: Received from id 84 10.48.71.227:1645,
Access-Accept, len 93
*May 12 17:11:08.695: Attribute 6 6 00000005
*May 12 17:11:08.695: Attribute 7 6 00000001
*May 12 17:11:08.695: Attribute 26 31 0000000901197072
*May 12 17:11:08.695: Attribute 26 30 0000000901187072
*May 12 17:11:08.815: RADIUS: saved authorization data for user 6308590C
at 62D3F92C
*May 12 17:11:08.815: RADIUS: Saving attribute (0x6) for preauth
*May 12 17:11:08.815: RADIUS: Saving attribute (0x7) for preauth
*May 12 17:11:08.815: RADIUS: cisco AVPair "preauth:auth-required=0"
*May 12 17:11:08.819: RADIUS: cisco AVPair "preauth:service-type=2"
*May 12 17:11:08.819: RADIUS: Found and saved 'service-type' (val=0x2) for
preauth
*May 12 17:11:08.819: AAA/MEMORY: free_user (0x6308590C) user='7070'
ruser='NULL' port='Serial7/0:20' rem_addr='8551/7070' authen_type=ASCII
service=LOGIN priv=1
*May 12 17:11:09.299: %LINK-3-UPDOWN: Interface Serial7/0:20, changed
state to up
*May 12 17:11:10.323: AAA: parse name=Serial7/0:20 idb type=13 tty=-1
*May 12 17:11:10.323: AAA: name=Serial7/0:20 flags=0x55 type=1 shelf=0
slot=7 adapter=0 port=0 channel=20
*May 12 17:11:10.323: AAA: parse name=<no string> idb type=-1 tty=-1
*May 12 17:11:10.323: AAA/MEMORY: create_user (0x63083B58) user='7070'
ruser='7070' ds0=117440532 port='Serial7/0:20' rem_addr='8551/7070'
authen_type=NONE service=PPP priv=1 initial_task_id='0'
*May 12 17:11:10.751: RADIUS: ustruct sharecount=3
*May 12 17:11:10.751: Radius: radius_port_info() success=1
radius_nas_port=1
*May 12 17:11:11.171: RADIUS: Initial Transmit Serial7/0:20 id 85
10.48.71.227:1646, Accounting-Request, len 96
*May 12 17:11:11.171: Attribute 4 6 0A304A80
*May 12 17:11:11.171: Attribute 5 6 00004E34
*May 12 17:11:11.171: Attribute 61 6 00000002
*May 12 17:11:11.171: Attribute 1 6 37303730
*May 12 17:11:11.171: Attribute 30 6 37303730
*May 12 17:11:11.171: Attribute 31 6 38353531
*May 12 17:11:11.171: Attribute 40 6 00000001
*May 12 17:11:11.171: Attribute 45 6 00000002
*May 12 17:11:11.171: Attribute 6 6 00000002
*May 12 17:11:11.171: Attribute 44 10 0000000C
*May 12 17:11:11.171: Attribute 7 6 00000001
*May 12 17:11:11.171: Attribute 41 6 00000000
*May 12 17:11:11.291: RADIUS: Received from id 85 10.48.71.227:1646,
Accounting-response, len 20
*May 12 17:11:11.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial7/0:20, changed state to up
*May 12 17:11:15.299: %ISDN-6-CONNECT: Interface Serial7/0:20 is now
connected to 8551 7070
nada#

Troubleshooting Commands

Note: Before issuing debug commands, refer to Important Information on Debug Commands.

  • debug aaa authentication—Displays information about AAA authentication.

  • debug aaa authorization—Displays information about AAA authorization.

  • debug radius—Displays detailed debugging information associated with RADIUS.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for Security
Security: Intrusion Detection [Systems]
Security: AAA
Security: General
Security: Firewalling

Related Information

Updated: Feb 26, 2008Document ID: 25703