Table Of Contents
Supported Standards, MIBs, and RFCs
Configuring the LLID in a RADIUS User Profile
LAC for Preauthorization Configuration Example
RADIUS User Profile for LLID Example
subscriber access pppoe pre-authorize
RADIUS Logical Line ID
Feature History for RADIUS Logical Line ID
Contents
•Supported Standards, MIBs, and RFCs
•Supported Standards, MIBs, and RFCs
Feature Overview
The RADIUS Logical Line ID feature enables users to track their customers on the basis of the physical lines in which the customers' calls originate. Thus, users can better maintain the profile database of their customers as the customers move from one physical line to another.
Logical Line Identification (LLID) is an alphanumeric string (which must be a minimum of one character and a maximum of 253 characters) that is a logical identification of a subscriber line. LLID is maintained in a RADIUS server customer profile database. This customer profile database is connected to a L2TP access concentrator (LAC) and is separate from the RADIUS server that the LAC and L2TP Network Server (LNS) use for the authentication and authorization of incoming users. When the customer profile database receives a preauthorization request from the LAC, the server sends the LLID to the LAC as the Calling-Station-ID attribute (attribute 31).
The LAC sends a preauthorization request to the customer profile database when the LAC is configured for preauthorization. Configure the LAC for preauthorization using the subscriber access pppoe pre-authorize command.
Note Downloading the LLID is referred to as preauthorization because it occurs before normal virtual private dialup network (VPDN) authorization downloads L2TP tunnel information.
The customer profile database consists of user profiles for each user connected to the LAC. Each user profile contains the NAS-IP-Address (attribute #4) and the NAS-Port-ID (attribute #5.) When the LAC is configured for preauthorization, it queries the customer profile database using the username. (The username, which is in an authentication, authorization, and accounting (AAA) request, has physical line information.) When a match is found in the customer profile database, the customer profile database sends the LLID in the user profile. The LLID is defined in the username as the Calling-Station-ID attribute.
Benefits
Stability and Security
This feature provides users with a virtual port that will not change as customers move. Thus, the LLID can also be used for additional security checks.
Restrictions
RADIUS Server Compatibility
Although this feature can be used with any vendor's RADIUS server, some RADIUS servers may require modifications to their dictionary files to allow the Calling-Station-ID attribute to be returned in access-accept messages. For example, the Merit RADIUS server will not support LLID downloading unless you modify its dictionary as follows: "ATTRIBUTE Calling-Station-Id 31 string (*, *)"
Support Restrictions
•This feature supports only RADIUS; TACACS+ is not supported.
•This feature can be applied only toward PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN) (Dot1Q) calls; no other calls, such as ISDN, can be used.
Related Documents
•The chapter "Configuring Broadband Access: PPP and Routed Bridge Encapsulation" in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2
•The section "Configuring AAA Preauthentication" in the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2
•Cisco IOS Dial Technologies Configuration Guide, Release 12.2
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
None
Configuration Tasks
See the following sections for configuration tasks for the RADIUS Logical Line ID feature. Each task in the list is identified as either required or optional.
•Configuring Preauthorization (required)
•Configuring the LLID in a RADIUS User Profile (required)
•Verifying Logical Line ID (optional)
Configuring Preauthorization
To download the LLID and configure the LAC for preauthorization, use the following commands in global configuration mode:
Configuring the LLID in a RADIUS User Profile
To configure the user profile for preauthorization, add a NAS port user to the customer profile database and add the RADIUS IETF attribute 31 (Calling-Station-ID) to the user profile.
Verifying Logical Line ID
To verify feature functionality, use the following command in EXEC mode:
Command PurposeRouter# debug radius
Checks to see that RADIUS attribute 31 is the LLID in the accounting-request on LAC and in the access-request and accounting-request on the LNS.
Configuration Examples
This section provides the following configuration examples:
•LAC for Preauthorization Configuration Example
•RADIUS User Profile for LLID Example
LAC for Preauthorization Configuration Example
The following example shows how to configure your LAC for preauthorization by downloading the LLID:
aaa new-modelaaa group server radius sg_llidserver 128.107.164.106 auth-port 1645 acct-port 1646aaa group server radius sg_waterserver 128.107.164.106 auth-port 1645 acct-port 1646aaa authentication ppp default group radiusaaa authorization confg-commandsaaa authorization network default group sg_wateraaa authorization network mlist_llid group sg_llidaaa session-id common!username s7200_2 password 0 labusername s5300 password 0 labusername sg_water password 0 labvpdn enable!vpdn-group 2request-dialinprotocol 12tpdomain water.cominitiate-to ip 30.1.1.1local name s7200_2!vpdn-group 3accept dialinprocotol pppoevirtual-template 1!!Enable the LLID to be downloaded.
subscriber access pppoe pre-authorize nas-port-id mlist_llid!interface Loopback0ip address 20.1.1.2 255.255.255.0!interface Loopback1ip address 30.1.1.1 255.255.255.0!interface Ethernet1/0ip address 80.1.1.1 255.255.255.0 secondaryip address 10.0.58.111 255.255.255.0no cdp enable!iterface ATM4/0no ip addressno atm ilmi-keepalive!interface ATM4/0.1 point-to-pointpvc 1/100encapsulation aa15snapprotocol pppoe!interface virtual-template1no ip unnumbered Loopback0no peer default ip addressppp authentication chap!radius-server host 128.107.164.120 auth-port 1645 acct-port 1646 key rad123radius-server host 128.107.164.106 auth-port 1645 acct-port 1646 key rad123ip radius source-interface Loopback1RADIUS User Profile for LLID Example
The following example shows how to configure the user profile for LLID querying for PPPoEoVLAN and PPPoEoATM and add attribute 31:
pppoeovlan----------nas-port:12.1.0.3:6/0/0/0 Password = "cisco",Service-Type = Outbound,Calling-Station-ID = "cat-example"pppoeoa--------nas-port:12.1.0.3:6/0/0/1.100 Password = "cisco",Service-Type = Outbound,Calling-Station-ID = "cat-example"Command Reference
This section documents the new command only.
•subscriber access pppoe pre-authorize
subscriber access pppoe pre-authorize
To enable the Logical Line Identification (LLID) to be downloaded, use the subscriber access pppoe pre-authorize command in global configuration mode. To disable this functionality, use the no form of this command.
subscriber access pppoe pre-authorize nas-port-id list-name
no subscriber access pppoe pre-authorize nas-port-id list-name
Syntax Description
nas-port-id
NAS port ID.
list-name
Authentication, authorization, and accounting (AAA) authorization method list configured on the L2TP access concentrator (LAC).
Defaults
LLID querying will not take place.
Command Modes
Global configuration
Command History
Usage Guidelines
The subscriber access pppoe pre-authorize command enables the LLID to be downloaded so the LAC can be configured for preauthorization. Thus, when queried, the RADIUS server can help download the LLID string to the LAC during preauthorization.
Note This command enables LLID querying only for PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN) (Dot1Q) calls; all other calls, such as ISDN, are not supported.
Examples
The following example shows how to configure your LAC for preauthorization:
aaa new-modelaaa group server radius sg_llidserver 128.107.164.106 auth-port 1645 acct-port 1646aaa group server radius sg_waterserver 128.107.164.106 auth-port 1645 acct-port 1646aaa authentication ppp default group radiusaaa authorization confg-commandsaaa authorization network default group sg_wateraaa authorization network mlist_llid group sg_llidaaa session-id common!username s7200_2 password 0 labusername s5300 password 0 labusername sg_water password 0 labvpdn enable!vpdn-group 2request-dialinprotocol 12tpdomain water.cominitiate-to ip 30.1.1.1local name s7200_2!vpdn-group 3accept dialinprocotol pppoevirtual-template 1!subscriber access pppoe pre-authorize nas-port-id mlist_llid!Related Commands
Command Descriptionip radius source-interface
Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
Copyright © 2002, 2003, 2005 Cisco Systems, Inc. All rights reserved.