Support

Table Of Contents

RADIUS Logical Line ID

Contents

Feature Overview

Benefits

Restrictions

Related Documents

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuring Preauthorization

Configuring the LLID in a RADIUS User Profile

Verifying Logical Line ID

Configuration Examples

LAC for Preauthorization Configuration Example

RADIUS User Profile for LLID Example

Command Reference

subscriber access pppoe pre-authorize

RADIUS Logical Line ID

---

Feature History for RADIUS Logical Line ID

Release	Modification
12.2(13)T	This feature was introduced.
12.2(15)B	This feature was integrated into Cisco IOS Release 12.2(15)B.
12.2(27)SBA	This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Contents

•Feature Overview

•Supported Standards, MIBs, and RFCs

•Supported Standards, MIBs, and RFCs

•Configuration Tasks

•Configuration Examples

•Command Reference

Feature Overview

The RADIUS Logical Line ID feature enables users to track their customers on the basis of the physical lines in which the customers' calls originate. Thus, users can better maintain the profile database of their customers as the customers move from one physical line to another.

Logical Line Identification (LLID) is an alphanumeric string (which must be a minimum of one character and a maximum of 253 characters) that is a logical identification of a subscriber line. LLID is maintained in a RADIUS server customer profile database. This customer profile database is connected to a L2TP access concentrator (LAC) and is separate from the RADIUS server that the LAC and L2TP Network Server (LNS) use for the authentication and authorization of incoming users. When the customer profile database receives a preauthorization request from the LAC, the server sends the LLID to the LAC as the Calling-Station-ID attribute (attribute 31).

The LAC sends a preauthorization request to the customer profile database when the LAC is configured for preauthorization. Configure the LAC for preauthorization using the subscriber access pppoe pre-authorize command.

---

Note Downloading the LLID is referred to as preauthorization because it occurs before normal virtual private dialup network (VPDN) authorization downloads L2TP tunnel information.

---

The customer profile database consists of user profiles for each user connected to the LAC. Each user profile contains the NAS-IP-Address (attribute #4) and the NAS-Port-ID (attribute #5.) When the LAC is configured for preauthorization, it queries the customer profile database using the username. (The username, which is in an authentication, authorization, and accounting (AAA) request, has physical line information.) When a match is found in the customer profile database, the customer profile database sends the LLID in the user profile. The LLID is defined in the username as the Calling-Station-ID attribute.

Benefits

Stability and Security

This feature provides users with a virtual port that will not change as customers move. Thus, the LLID can also be used for additional security checks.

Restrictions

RADIUS Server Compatibility

Although this feature can be used with any vendor's RADIUS server, some RADIUS servers may require modifications to their dictionary files to allow the Calling-Station-ID attribute to be returned in access-accept messages. For example, the Merit RADIUS server will not support LLID downloading unless you modify its dictionary as follows: "ATTRIBUTE    Calling-Station-Id    31    string  (*, *)"

Support Restrictions

•This feature supports only RADIUS; TACACS+ is not supported.

•This feature can be applied only toward PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN) (Dot1Q) calls; no other calls, such as ISDN, can be used.

Related Documents

•The chapter "Configuring Broadband Access: PPP and Routed Bridge Encapsulation" in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2

•The section "Configuring AAA Preauthentication" in the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2

•Cisco IOS Dial Technologies Configuration Guide, Release 12.2

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco  MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco  MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

None

Configuration Tasks

See the following sections for configuration tasks for the RADIUS Logical Line ID feature. Each task in the list is identified as either required or optional.

•Configuring Preauthorization (required)

•Configuring the LLID in a RADIUS User Profile (required)

•Verifying Logical Line ID (optional)

Configuring Preauthorization

To download the LLID and configure the LAC for preauthorization, use the following commands in global configuration mode:

Command	Purpose
Router (config)# ip radius source-interface interface-name	Specifies the IP address portion of the username for the preauthorization request.
Router (config)# subscriber access pppoe pre-authorize nas-port-id list-name	Enables the LLID to be downloaded so the LAC can be configured for preauthorization.

Configuring the LLID in a RADIUS User Profile

To configure the user profile for preauthorization, add a NAS port user to the customer profile database and add the RADIUS IETF attribute 31 (Calling-Station-ID) to the user profile.

Command	Purpose
UserName=nas_port: ip-address:slot/module/port/vpi.vci	(Optional) Adds a PPPoE over ATM NAS port user.
User-Name=nas-port: ip-address:slot/module/port/vlan-id	(Optional) Adds a PPPoE over VLAN NAS port user.
Calling-Station-Id = "string (*,*)"	Adds attribute 31 to the user profile. string—One or more octets, containing the phone number that the user placed the call from.

Verifying Logical Line ID

To verify feature functionality, use the following command in EXEC mode:

Command	Purpose
Router# debug radius	Checks to see that RADIUS attribute 31 is the LLID in the accounting-request on LAC and in the access-request and accounting-request on the LNS.

Configuration Examples

This section provides the following configuration examples:

•LAC for Preauthorization Configuration Example

•RADIUS User Profile for LLID Example

LAC for Preauthorization Configuration Example

The following example shows how to configure your LAC for preauthorization by downloading the LLID:

aaa new-model

aaa group server radius sg_llid

 server 128.107.164.106 auth-port 1645 acct-port 1646

aaa group server radius sg_water

 server 128.107.164.106 auth-port 1645 acct-port 1646

aaa authentication ppp default group radius 

aaa authorization confg-commands

aaa authorization network default group sg_water

aaa authorization network mlist_llid group sg_llid

aaa session-id common

!

username s7200_2 password 0 lab

username s5300 password 0 lab

username sg_water password 0 lab

vpdn enable

!

vpdn-group 2

  request-dialin

  protocol 12tp

 domain water.com

 initiate-to ip 30.1.1.1

 local name s7200_2

!

vpdn-group 3

 accept dialin

  procotol pppoe

  virtual-template 1

!

! Enable the LLID to be downloaded.

subscriber access pppoe pre-authorize nas-port-id mlist_llid

!

interface Loopback0

 ip address 20.1.1.2 255.255.255.0

!

interface Loopback1

 ip address 30.1.1.1 255.255.255.0

!

interface Ethernet1/0

 ip address 80.1.1.1 255.255.255.0 secondary

 ip address 10.0.58.111 255.255.255.0 

 no cdp enable

!

iterface ATM4/0

 no ip address

 no atm ilmi-keepalive

!

interface ATM4/0.1 point-to-point

 pvc 1/100

  encapsulation aa15snap

  protocol pppoe

!

interface virtual-template1

 no ip unnumbered Loopback0

 no peer default ip address

 ppp authentication chap

!

radius-server host 128.107.164.120 auth-port 1645 acct-port 1646 key rad123

radius-server host 128.107.164.106 auth-port 1645 acct-port 1646 key rad123

ip radius source-interface Loopback1

RADIUS User Profile for LLID Example

The following example shows how to configure the user profile for LLID querying for PPPoEoVLAN and PPPoEoATM and add attribute 31:

pppoeovlan

----------

nas-port:12.1.0.3:6/0/0/0    Password = "cisco",

    Service-Type = Outbound,

    Calling-Station-ID = "cat-example"

pppoeoa

--------

nas-port:12.1.0.3:6/0/0/1.100    Password = "cisco",

    Service-Type = Outbound,

    Calling-Station-ID = "cat-example"

Command Reference

This section documents the new command only.

•subscriber access pppoe pre-authorize

subscriber access pppoe pre-authorize

To enable the Logical Line Identification (LLID) to be downloaded, use the subscriber access pppoe pre-authorize command in global configuration mode. To disable this functionality, use the no form of this command.

subscriber access pppoe pre-authorize nas-port-id list-name

no subscriber access pppoe pre-authorize nas-port-id list-name

Syntax Description

nas-port-id	NAS port ID.
list-name	Authentication, authorization, and accounting (AAA) authorization method list configured on the L2TP access concentrator (LAC).

Defaults

LLID querying will not take place.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(15)B	This command was integrated into Cisco IOS Release 12.2(15)B.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

The subscriber access pppoe pre-authorize command enables the LLID to be downloaded so the LAC can be configured for preauthorization. Thus, when queried, the RADIUS server can help download the LLID string to the LAC during preauthorization.

---

Note This command enables LLID querying only for PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN) (Dot1Q) calls; all other calls, such as ISDN, are not supported.

---

Examples

The following example shows how to configure your LAC for preauthorization:

aaa new-model

aaa group server radius sg_llid

 server 128.107.164.106 auth-port 1645 acct-port 1646

aaa group server radius sg_water

 server 128.107.164.106 auth-port 1645 acct-port 1646

aaa authentication ppp default group radius 

aaa authorization confg-commands

aaa authorization network default group sg_water

aaa authorization network mlist_llid group sg_llid

aaa session-id common

!

username s7200_2 password 0 lab

username s5300 password 0 lab

username sg_water password 0 lab

vpdn enable

!

vpdn-group 2

  request-dialin

  protocol 12tp

 domain water.com

 initiate-to ip 30.1.1.1

 local name s7200_2

!

vpdn-group 3

 accept dialin

  procotol pppoe

  virtual-template 1

!

subscriber access pppoe pre-authorize nas-port-id mlist_llid

!

Related Commands

Command	Description
ip radius source-interface	Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.

Copyright © 2002, 2003, 2005 Cisco Systems, Inc. All rights reserved.