ON THIS PAGE
RADIUS Logical Line Identification
RADIUS Logical Line Identifier (LLID) Overview
The logical line identification (LLID) feature helps service providers maintain a reliable and up-to-date customer database for those subscribers who frequently move from one physical line to another. The LLID is designed to provide the service provider with a configurable calling station ID for the subscriber access line. A calling station ID is derived from the physical line location and the subscriber client’s information. The line information derived from the facility of the service provider is not friendly for the access line wholesaler to manage access line ownership when subscribers frequently move physical locations. The LLID feature is based on a virtual port — the LLID — rather than the physical line used by the subscriber. The LLID provides AAA driven line information management with a service provider (usually a wholesaler).
The LLID is an alphanumeric string that is based on the subscriber user name and circuit ID. The LLID logically identifies the subscriber line, and is mapped to the subscriber’s physical line in the service provider customer database. When the subscriber moves to a different location and different physical line, the database is updated to map the LLID to the new physical line. Because the subscriber’s LLID remains constant, it provides service providers with a secure and reliable means for tracking subscribers and maintaining an accurate customer database. Subscriber management supports the LLID feature for PPP subscribers over PPPoE, PPPoA, and LAC.
To assign an LLID to a subscriber, the router issues two RADIUS access requests. The first request is a preauthentication request, which obtains the LLID from a RADIUS preauthentication server. The second request is the standard authentication request sent to the RADIUS authentication server.
The following sequence of steps describes how subscriber management obtains and uses the LLID. The procedure assumes that preauthentication is enabled on the router and that the RADIUS preauthentication and authentication servers are configured.
The PPP subscriber sends an Authentication-Request message to the router.
The router sends an Access-Request message to the RADIUS preauthentication server to obtain an LLID for the subscriber.
The preauthentication server returns the LLID to the router in the Calling-Station-Id attribute (RADIUS attribute 31) in the Access-Accept message.
Note:This step includes a non-standard use of the Calling-Station-Id attribute. This attribute is typically present in RADIUS request messages, such as an Access-Request, not in response messages. Also, the router ignores all RADIUS attributes, other than the Calling-Station-Id, that are returned in the preauthentication Access-Accept message. In addition, any radius options that are configured on the router, such as calling-station-id-format, have no effect on the Calling-Station-Id attribute in the preauthentication request.
The router encodes the Calling-Station-Id (the LLID) in a second Access-Request message and sends the message to the RADIUS authentication server. This authentication request is the standard use of the Calling-Station-Id attribute.
The RADIUS authentication server returns an Access-Accept message to the router. The Access-Accept message includes attributes for the subscriber session.
Note:Once the preauthenticated subscriber has been successfully authenticated by the RADIUS authentication server, all subsequent RADIUS request messages, such as Accounting-Request messages, will include the LLID in the Calling-Station-Id attribute.
For tunneled PPP subscribers, the router, acting as an L2TP access concentrator (LAC), encodes the LLID into Calling Number AVP (L2TP attribute 22) and sends the attribute to the L2TP network server (LNS) in an Incoming-Call-Request (ICRQ) packet. After a successful preauthentication request, the router always encodes the LLID in the L2TP Calling Number AVP.
RADIUS Attributes for LLID Preauthentication Requests
Table 1 lists the RADIUS IETF attributes used in a preauthentication request to obtain a subscriber’s LLID, and describes the information that is included in the attributes. In some cases, preauthentication uses an attribute for information that is different than the IETF description—the table indicates any non-standard use of RADIUS attributes.
Attribute Number |
Attribute Name |
Description |
|---|---|---|
1 |
User-Name |
(Non-standard use of attribute.) Identifying information for the user associated with the LLID, in the following format.
Example: Note:
The router strips any dynamically generated information from the User-Name attribute during preauthentication. |
2 |
User-Password |
(Non-standard use of attribute.) Password of the user to be authenticated. Example: Always set to |
4 |
NAS-IP-Address |
IP address of the network access server (NAS) that is requesting authentication of the user Example: |
5 |
NAS-Port |
Physical port number of the NAS that is authenticating the user. Always interpreted as a bit field |
6 |
Service-Type |
Type of service the user requested or the type of service to be provided. Example: |
61 |
NAS-Port-Type |
Type of physical port the NAS is using to authenticate
the user. You can use the |
77
|
Connect-Info |
(Non-standard use of attribute.) The user name. Example: |
87 |
NAS-Port-Id |
Text string that identifies the physical interface of the NAS that is authenticating the user. Includes any dynamically generated information. Example: |
Configuring Logical Line Identification (LLID) Preauthentication
The logical line identification (LLID) feature enables service providers to track subscribers on the basis of a virtual port — the LLID — rather than by the physical port used by the subscriber. The LLID is assigned by a RADIUS preauthentication server, which you configure in an access profile.
To configure the router to support preauthentication for the LLID feature:
You cannot configure the preauthentication statements in this procedure if you have configured the radius attributes exclude statement to exclude the Calling-Station-ID attribute from RADIUS Access-Request messages.
Specify the access profile you want to use for the subscriber preauthentication support.
[edit]user@host# edit access profile profile-nameSpecify the order in which the router uses the supported preauthentication methods. radius is the only supported authentication method.
[edit access profile profile-name]user@host# set preauthentication-order radiusSpecify that you want to configure RADIUS support.
[edit access profile profile-name]user@host# edit radiusSpecify the IP address of the RADIUS server used for preauthentication.
[edit access profile profile-name radius]user@host# set preauthentication-server 192.168.100.10Note:The preauthentication feature uses the
retryandtimeoutparameters that are configured for the RADIUS authentication server.(Optional) Display AAA preauthentication statistics.
user@host>
show network-access aaa statistics preauthenticationPreauthentication module statistics Requests received: 2118 Multistack requests: 0 Accepts: 261 Rejects: 975 Challenges: 0 Requests timed out: 882(Optional) Verify configuration of the RADIUS preauthentication server.
user@host1> show radius pre-authentication servers RADIUS Pre-Authentication Configuration --------------------------------------- Udp Retry Maximum Dead IP Address Port Count Timeout Sessions Time Secret ------------- ---- ----- ------- -------- ---- ------ 203.0.113.168 1812 3 3 255 0 radius
Configuring a Port and Password for LLID Preauthentication Requests
You can configure a router that operates as the RADIUS client to contact a RADIUS server for authentication and preauthentication requests on two different UDP ports and using different secret passwords. Similar to configuring the port numbers for authentication and accounting requests, you can define a unique port number that the router uses to contact the RADIUS server for logical line identification (LLID) preauthentication requests. You can also define a unique password for preauthentication requests. If you do not configure a separate UDP port or secret for preauthentication purposes, the same UDP port and secret that you configure for authentication messages is used.
To configure a unique UDP port number to be used to contact
the RADIUS server for preauthentication requests, include the preauthentication-port port-number statement
at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy
level.
To specify the UDP port for all of the access profiles:
[edit access] radius-server server-address { preauthentication-port port-number; }To specify the UDP port for a specific access profile:
[edit access] profile profile-name { radius-server server-address { preauthentication-port port-number; } }
To configure the password to be used to contact the RADIUS preauthentication
server, include the preauthentication-secret password statement at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.
To specify the password for all of the access profiles:
[edit access] radius-server server-address { preauthentication-secret password; }To specify the password for a specific access profile:
[edit access] profile profile-name { radius-server server-address { preauthentication-secret password; } }
Verifying and Managing LLID Preauthentication Configuration
Purpose
Display statistics and configuration information related to logical line identification (LLID) preauthenticaion.
Action
To display LLID preauthentication statistics:
user@host> show network-access aaa statistics preauthentication
To display information about preauthentication servers:
user@host> show network-access aaa radius-servers