AAA Logical Line Identifier for Subscriber Tracking Overview

You can configure the router to support the AAA logical line identification feature. This feature enables service providers to track subscribers on the basis of a virtual port known as the logical line ID (LLID).

The LLID is an alphanumeric string that logically identifies a subscriber line. The service provider maps each subscriber to an LLID based on the user name and circuit ID from which the customer’s calls originate. When a subscriber moves to a new physical line, the service provider’s customer profile database is updated to map to the same LLID.

Because a subscriber’s LLID remains the same regardless of the subscriber’s physical location, using the LLID gives service providers a more secure mechanism for tracking subscribers and maintaining the customer database.

The following section explains how the router obtains and uses the LLID:

How the Router Obtains and Uses the LLID

To obtain an LLID for a subscriber, the router must issue two RADIUS access requests: a preauthentication request to obtain the LLID, followed by an authentication request encoded with the LLID returned in response to the preauthentication request.

To configure this feature, you:

  1. Create an AAA profile that supports preauthentication (by using the pre-authenticate command in AAA Profile Configuration mode).
  2. Specify the IP address of a RADIUS preauthentication server (by using the radius pre-authentication server command in Global Configuration mode) and of an authentication server (by using the radius authentication server command in Global Configuration mode).

The following steps describe how the router uses RADIUS to obtain and use the LLID. It is assumed that you have already configured an AAA profile for preauthentication and have defined both a RADIUS preauthentication server and a RADIUS authentication server. Typically, the preauthentication server and the authentication server reside in the same virtual router context in which the PPP subscriber is authenticated.

The router obtains and uses the LLID as follows:

  1. A PPP subscriber requests authentication through RADIUS.
  2. The router sends an Access-Request message to the RADIUS preauthentication server to obtain an LLID for the subscriber.

    This step is referred to as the preauthentication request because it occurs before user authentication and authorization.

  3. The preauthentication server returns the LLID to the router in the Calling-Station-Id (RADIUS attribute 31) of an Access-Accept message.

    The router ignores any RADIUS attributes other than the Calling-Station-Id that are returned in the preauthentication Access-Accept message.

  4. The router encodes the LLID in the RADIUS Calling-Station-Id and sends an Access-Request message to the RADIUS authentication server.

    This step is referred to as the authentication request.

  5. The RADIUS authentication server returns an Access-Accept message to the router that includes the tunnel attributes for the subscriber session.
  6. For tunneled PPP subscribers, the router, acting as an L2TP access concentrator (LAC), encodes the LLID into L2TP Calling Number AVP 22 and sends this to the L2TP network server (LNS) in an incoming-call request (ICRQ) packet.

    After a successful preauthentication request, the router always encodes the LLID in Calling Number AVP 22. The use of aaa commands such as aaa tunnel calling-number-format to control or change the inclusion of the LLID in Calling Number AVP 22 has no effect.

Related Documentation