- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
- Finding Feature Information
- Contents
- Prerequisites for RADIUS Logical Line ID
- Restrictions for RADIUS Logical Line ID
- Information About RADIUS Logical Line ID
- How to Configure RADIUS Logical Line ID
- Configuration Examples for RADIUS Logical Line ID
- Additional References
- Feature Information for RADIUS Logical Line ID
- Glossary
RADIUS Logical Line ID
The RADIUS Logical Line ID feature, also known as the Logical Line Identification (LLID) Blocking feature enables administrators to track their customers on the basis of the physical lines on which customer calls originate. Administrators use a virtual port that does not change as customers move from one physical line to another. This virtual port facilitates the maintenance of the administrator's customer profile database and allows the administrator to do additional security checks on customers.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RADIUS Logical Line ID" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•Prerequisites for RADIUS Logical Line ID
•Restrictions for RADIUS Logical Line ID
•Information About RADIUS Logical Line ID
•How to Configure RADIUS Logical Line ID
•Configuration Examples for RADIUS Logical Line ID
•Feature Information for RADIUS Logical Line ID
Prerequisites for RADIUS Logical Line ID
Although this feature can be used with any RADIUS server, some RADIUS servers may require modifications to their dictionary files to allow the Calling-Station-ID attribute to be returned in Access-Accept messages. For example, the Merit RADIUS server does not support LLID downloading unless you modify its dictionary as follows: "ATTRIBUTE Calling-Station-Id 31 string (*, *)"
Restrictions for RADIUS Logical Line ID
The RADIUS Logical Line ID feature supports RADIUS only. TACACS+ is not supported.
This feature can be applied only toward PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN) (Dot1Q) calls; no other calls, such as ISDN, can be used.
Information About RADIUS Logical Line ID
LLID is an alphanumeric string (which must be a minimum of one character and a maximum of 253 characters) that is a logical identification of a subscriber line. LLID is maintained in a customer profile database on a RADIUS server. When the customer profile database receives a preauthorization request from the access router, the RADIUS server sends the LLID to the router as the Calling-Station-ID attribute (attribute 31).
The Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) sends a preauthorization request to the customer profile database when the LAC is configured for preauthorization. Configure the LAC for preauthorization using the subscriber access command.
Note Downloading the LLID is referred to as "preauthorization" because it occurs before either service (domain) authorization or user authentication and authorization occur.
The customer profile database on the RADIUS server consists of user profiles for each physical network access server (NAS) port that is connected to the router. Each user profile contains a profile matched to a username (attribute 1) representing the physical port on the router. When the router is configured for preauthorization, it queries the customer profile database using a username representative of the physical NAS port making the connection to the router. When a match is found in the customer profile database, the customer profile database returns an Access-Accept message containing the LLID in the user profile. The LLID is defined in the Access-Accept record as the Calling-Station-ID attribute.
The preauthorization process can also provide the real username being used for authentication to the RADIUS server. Because the physical NAS port information is being used as the username (attribute 1), RADIUS attribute 77 (Connect-Info) can be configured to contain the authentication username. This configuration allows the RADIUS server to provide additional validation on the authorization request if it chooses, such as analyzing the username for privacy rules, before returning an LLID back to the router.
How to Configure RADIUS Logical Line ID
See the following sections for configuration tasks for the RADIUS Logical Line ID feature. Each task in the list is identified as either required or optional.
•Configuring Preauthorization (required)
•Configuring the LLID in a RADIUS User Profile (required)
•Verifying Logical Line ID (optional)
Configuring Preauthorization
To download the LLID and configure the LAC for preauthorization, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip radius source-interface interface-name
4. subscriber access {pppoe | pppoa} pre-authorize nas-port-id [default | list-name][send username]
DETAILED STEPS
Configuring the LLID in a RADIUS User Profile
To configure the user profile for preauthorization, add a NAS port user to the customer profile database and add RADIUS Internet Engineering Task Force (IETF) attribute 31 (Calling-Station-ID) to the user profile.
SUMMARY STEPS
1. UserName=nas_port: ip-address:slot/module/port/vpi.vci
2. UserName=nas-port: ip-address:slot/module/port/vlan-id
3. Calling-Station-Id = "string (*,*)"
DETAILED STEPS
Verifying Logical Line ID
To verify feature functionality, perform the following steps.
SUMMARY STEPS
1. enable
2. debug radius
DETAILED STEPS
Configuration Examples for RADIUS Logical Line ID
This section provides the following configuration examples:
•LAC for Preauthorization Configuration: Example
•RADIUS User Profile for LLID: Example
LAC for Preauthorization Configuration: Example
The following example shows how to configure your LAC for preauthorization by downloading the LLID:
aaa new-model
aaa group server radius sg_llid
server 172.31.164.106 auth-port 1645 acct-port 1646
aaa group server radius sg_water
server 172.31.164.106 auth-port 1645 acct-port 1646
aaa authentication ppp default group radius
aaa authorization confg-commands
aaa authorization network default group sg_water
aaa authorization network mlist_llid group sg_llid
aaa session-id common
!
username s7200_2 password 0 lab
username s5300 password 0 lab
username sg_water password 0 lab
vpdn enable
!
vpdn-group 2
request-dialin
protocol l2tp
domain water.com
domain water.com#184
initiate-to ip 10.1.1.1
local name s7200_2
l2tp attribute clid mask-method right * 255 match #184
!
vpdn-group 3
accept dialin
procotol pppoe
virtual-template 1
!
! Enable the LLID to be downloaded.
subscriber access pppoe pre-authorize nas-port-id mlist_llid send username
!
interface Loopback0
ip address 10.1.1.2 255.255.255.0
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1/0
ip address 10.1.1.8 255.255.255.0 secondary
ip address 10.0.58.111 255.255.255.0
no cdp enable
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
!
interface ATM4/0.1 point-to-point
pvc 1/100
encapsulation aa15snap
protocol pppoe
!
interface virtual-template1
no ip unnumbered Loopback0
no peer default ip address
ppp authentication chap
!
radius-server host 172.31.164.120 auth-port 1645 acct-port 1646 key rad123
radius-server host 172.31.164.106 auth-port 1645 acct-port 1646 key rad123
ip radius source-interface Loopback1
RADIUS User Profile for LLID: Example
The following example shows how to configure the user profile for LLID querying for PPPoEoVLAN and PPPoEoATM and how to add attribute 31:
pppoeovlan
----------
nas-port:10.1.0.3:6/0/0/0 Password = "cisco",
Service-Type = Outbound,
Calling-Station-ID = "cat-example"
pppoeoa
--------
nas-port:10.1.0.3:6/0/0/1.100 Password = "cisco",
Service-Type = Outbound,
Calling-Station-ID = "cat-example"
Additional References
The following sections provide references related to RADIUS Logical Line ID.
Related Documents
|
|
---|---|
AAA authentication |
"Configuring AAA Preauthentication" section in the "Configuring RADIUS" module. |
Attribute screening for access requests |
"RADIUS Attribute Screening" section in the in the "Configuring RADIUS" module. |
Broadband access: PPP and routed bridge encapsulation |
Cisco IOS Broadband Access Aggregation and DSL Configuration Guide, Release 12.4T |
Dial technologies |
Cisco IOS Dial Technologies Configuration Guide, Release 12.4T |
Standards
|
|
---|---|
None |
— |
MIBs
|
|
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
None |
— |
Technical Assistance
Feature Information for RADIUS Logical Line ID
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Glossary
LLID Blocking—A feature that enables administrators to track their customers on the basis of the physical lines on which the calls of the customers originate. Also known as RADIUS Logical Line ID.
RADIUS Logical Line ID—A feature that enables administrators to track their customers on the basis of the physical lines on which the calls of the customers originate. Also known as LLID Blocking.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2002, 2003, 2005-2009 Cisco Systems, Inc. All rights reserved.