Using the AAA Logical Line Identifier to Track Subscribers

You can configure the router to support the AAA logical line identification feature. This feature enables service providers to track subscribers on the basis of a virtual port known as the logical line ID (LLID).

The LLID is an alphanumeric string that logically identifies a subscriber line. The service provider maps each subscriber to an LLID based on the user name and circuit ID from which the customer’s calls originate. When a subscriber moves to a new physical line, the service provider’s customer profile database is updated to map to the same LLID.

Because a subscriber’s LLID remains the same regardless of the subscriber’s physical location, using the LLID gives service providers a more secure mechanism for tracking subscribers and maintaining the customer database.

How the Router Obtains and Uses the LLID

To obtain an LLID for a subscriber, the router must issue two RADIUS access requests: a preauthentication request to obtain the LLID, followed by an authentication request encoded with the LLID returned in response to the preauthentication request.

To configure this feature, you:

Create an AAA profile that supports preauthentication (by using the pre-authenticate command in AAA Profile Configuration mode).
Specify the IP address of a RADIUS preauthentication server (by using the radius pre-authentication server command in Global Configuration mode) and of an authentication server (by using the radius authentication server command in Global Configuration mode).

The following steps describe how the router uses RADIUS to obtain and use the LLID. It is assumed that you have already configured an AAA profile for preauthentication and have defined both a RADIUS preauthentication server and a RADIUS authentication server. Typically, the preauthentication server and the authentication server reside in the same virtual router context in which the PPP subscriber is authenticated.

The router obtains and uses the LLID as follows:

A PPP subscriber requests authentication through RADIUS.
The router sends an Access-Request message to the RADIUS preauthentication server to obtain an LLID for the subscriber.
This step is referred to as the preauthentication request because it occurs before user authentication and authorization.
The preauthentication server returns the LLID to the router in the Calling-Station-Id (RADIUS attribute 31) of an Access-Accept message.
The router ignores any RADIUS attributes other than the Calling-Station-Id that are returned in the preauthentication Access-Accept message.
The router encodes the LLID in the RADIUS Calling-Station-Id and sends an Access-Request message to the RADIUS authentication server.
This step is referred to as the authentication request.
The RADIUS authentication server returns an Access-Accept message to the router that includes the tunnel attributes for the subscriber session.
For tunneled PPP subscribers, the router, acting as an L2TP access concentrator (LAC), encodes the LLID into L2TP Calling Number AVP 22 and sends this to the L2TP network server (LNS) in an incoming-call request (ICRQ) packet.
After a successful preauthentication request, the router always encodes the LLID in Calling Number AVP 22. The use of aaa commands such as aaa tunnel calling-number-format to control or change the inclusion of the LLID in Calling Number AVP 22 has no effect.

RADIUS Attributes in Preauthentication Request

Table 6 describes the RADIUS IETF attributes that are always included in a preauthentication request to obtain the LLID. The attributes are listed in ascending order by standard number.

Table 6: RADIUS IETF Attributes in Preauthentication Request

Attribute Number	Attribute Name	Description
[1]	User-Name	Name of the user associated with the LLID, in the format: NAS-Port:<NAS-IP-Address>:<Nas-Port-Id> For example, nas-port:172.28.30.117:atm 4/1.104:2.104
[2]	User-Password	Password of the user to be authenticated; always set to “ juniper”
[4]	NAS-IP-Address	IP address of the network access server (NAS) that is requesting authentication of the user; for example, 172.28.30.117
[5]	NAS-Port	Physical port number of the NAS that is authenticating the user; this is always interpreted as a bit field
[6]	Service-Type	Type of service the user has requested or the type of service to be provided; for example, framed
[61]	NAS-Port-Type	Type of physical port the NAS is using to authenticate the user
[77]	Connect-Info	Actual user name; for example, jdoe@xyzcorp.east.com
[87]	NAS-Port-Id	Text string that identifies the physical interface of the NAS that is authenticating the user; for example, atm 4/1.104:2.104

The use of radius commands such as radius calling-station-format or radius override calling-station-id to control or change the inclusion of these attributes in the preauthentication request has no effect.

For more information about these attributes, see RADIUS IETF Attributes.

Considerations for Using the LLID

The following considerations apply when you configure the router for subscriber preauthentication:

Only PPP subscribers authenticating through RADIUS can use the AAA LLID feature on the router. PPP subscribers tunneled through domain maps cannot take advantage of this feature.
The Calling-Station-Id [31] attribute is typically sent in RADIUS Access-Request messages, not in Access-Accept messages as is the case for this feature. As a result, your RADIUS server might require special configuration procedures to enable the Calling-Station-Id attribute to be returned in Access-Accept messages. See the documentation that came with your RADIUS server for information.
The router ignores any RADIUS attributes other than the Calling-Station-Id that are returned in the preauthentication Access-Accept message.
If a preauthentication request fails due to misconfiguration of the preauthentication server, timeout of the preauthentication server, or rejection of the preauthentication request by the preauthentication server, the authentication process continues normally and the preauthentication request is ignored.
The router preserves the LLID value for established subscribers after a stateful SRP switchover.
The radius rollover-on-reject enable command has no effect for a RADIUS preauthentication server. That is, you cannot use the radius rollover-on-reject enable command to configure the router to roll over to the next RADIUS preauthentication server when the router receives an Access-Reject message for the user it is authenticating. For information, see radius rollover-on-reject.

Configuring the Router to Obtain the LLID for a Subscriber

To configure the router to obtain the LLID for a subscriber:

Create an AAA profile that supports subscriber preauthentication.
host1(config)#aaa profile preAuthLlid host1(config-aaa-profile)#pre-authenticate host1(config-aaa-profile)#exit
Define a RADIUS preauthentication server.
host1(config)#radius pre-authentication server 10.10.10.1 host1(config-radius)#key abc123 host1(config-radius)#exit
Associate the AAA profile with the designated PPP interface.
host1(config)#interface atm 4/3.101 host1(config-subif)#ppp aaa-profile preAuthLlid

(Optional) Verify that preauthentication support is configured for the AAA profile.

host1(config-subif)#run show aaa profile name PreAuthLlid
preAuthLlid:
    atm nas-port-type: ADLSL-CAP
    ethernet nas-port-type: Cable
    profile-service-description: xyzService
    pre-authenticate 
    allow xyz.com
    deny default
    translate xyz1.com abc.com

For information, see Setting Baselines for Remote Access.

(Optional) Verify configuration of the RADIUS preauthentication server.

host1(config-subif)#run show radius pre-authentication servers

               RADIUS Pre-Authentication Configuration
               ---------------------------------------
                Udp    Retry             Maximum    Dead
 IP Address     Port   Count   Timeout   Sessions   Time   Secret
-------------   ----   -----   -------   --------   ----   ------
10.10.10.1      1812   3       3         255        0      radius

You can also display configuration information for preauthentication servers by using the show radius servers command. For information, see Setting Baselines for Remote Access.

(Optional) Display statistics for the RADIUS preauthentication server.
To display preauthentication statistics, use the show radius pre-authentication statistics command. For information, see Setting Baselines for Remote Access.
To display a count of preauthentication requests and responses, use the show aaa statistics command. For information, see Setting Baselines for Remote Access.

aaa profile

Use to configure a new AAA profile.
Example
host1(config)#aaa profile boston123
Use the no version to delete the AAA profile.
See aaa profile

key

Use from RADIUS Configuration mode to configure the secret for a RADIUS preauthentication server.
The server secret is a text string used by RADIUS to encrypt the client and server authenticator field during exchanges between the router and a RADIUS preauthentication server. The router encrypts PPP PAP passwords using this text string.
The default behavior is no server secret.
Example
host1(config-radius)#key gismo
Use the no version to remove the secret.
Note: The preauthentication request fails if you do not specify a key for the preauthentication server.
See key

ppp aaa-profile

Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces.
For more information about how to use this command, see ppp aaa-profile.
Example
host1(config-if)#ppp aaa-profile preAuth
Use the no version to remove the AAA profile assignment.
See ppp aaa-profile

pre-authenticate

Use to configure an AAA profile to support RADIUS preauthentication.
During preauthentication, the router sends an Access-Request message to a RADIUS preauthentication server to obtain an LLID for a subscriber. In response, the preauthentication server returns the LLID in the RADIUS Calling-Station-Id [31] attribute of an Access-Accept message.
Example
host1(config-aaa-profile)#pre-authenticate
Use the no version to remove preauthentication support from the AAA profile.
See pre-authenticate

radius pre-authentication server

Use to specify the IP address of a RADIUS preauthentication server.
This command accesses RADIUS Configuration mode, from which you can configure additional parameters for the RADIUS preauthentication server.
Example
host1(config)#radius pre-authentication server 10.10.10.2
Use the no version to delete the instance of the RADIUS preauthentication server.
See radius pre-authentication server

Troubleshooting Subscriber Preauthentication

You can configure the router to send traps to SNMP when a RADIUS preauthentication server fails to respond to messages. To do so, you use the same procedure and commands as you do to configure SNMP traps for a RADIUS authentication server.

For example, to enable SNMP traps when a particular RADIUS preauthentication server fails to respond to Access-Request messages, use the radius trap auth-server-not-responding enable command.

For more information, see Configuring SNMP Traps .