Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


RADIUS Logical Line Identification

RADIUS Logical Line Identifier (LLID) Overview

The logical line identification (LLID) feature helps service providers maintain a reliable and up-to-date customer database for those subscribers who frequently move from one physical line to another. The LLID is designed to provide the service provider with a configurable calling station ID for the subscriber access line. A calling station ID is derived from the physical line location and the subscriber client’s information. The line information derived from the facility of the service provider is not friendly for the access line wholesaler to manage access line ownership when subscribers frequently move physical locations. The LLID feature is based on a virtual port — the LLID — rather than the physical line used by the subscriber. The LLID provides AAA driven line information management with a service provider (usually a wholesaler).

The LLID is an alphanumeric string that is based on the subscriber user name and circuit ID. The LLID logically identifies the subscriber line, and is mapped to the subscriber’s physical line in the service provider customer database. When the subscriber moves to a different location and different physical line, the database is updated to map the LLID to the new physical line. Because the subscriber’s LLID remains constant, it provides service providers with a secure and reliable means for tracking subscribers and maintaining an accurate customer database. Subscriber management supports the LLID feature for PPP subscribers over PPPoE, PPPoA, and LAC.

To assign an LLID to a subscriber, the router issues two RADIUS access requests. The first request is a preauthentication request, which obtains the LLID from a RADIUS preauthentication server. The second request is the standard authentication request sent to the RADIUS authentication server.

The following sequence of steps describes how subscriber management obtains and uses the LLID. The procedure assumes that preauthentication is enabled on the router and that the RADIUS preauthentication and authentication servers are configured.

  1. The PPP subscriber sends an Authentication-Request message to the router.

  2. The router sends an Access-Request message to the RADIUS preauthentication server to obtain an LLID for the subscriber.

  3. The preauthentication server returns the LLID to the router in the Calling-Station-Id attribute (RADIUS attribute 31) in the Access-Accept message.


    This step includes a non-standard use of the Calling-Station-Id attribute. This attribute is typically present in RADIUS request messages, such as an Access-Request, not in response messages. Also, the router ignores all RADIUS attributes, other than the Calling-Station-Id, that are returned in the preauthentication Access-Accept message. In addition, any radius options that are configured on the router, such as calling-station-id-format, have no effect on the Calling-Station-Id attribute in the preauthentication request.

  4. The router encodes the Calling-Station-Id (the LLID) in a second Access-Request message and sends the message to the RADIUS authentication server. This authentication request is the standard use of the Calling-Station-Id attribute.

  5. The RADIUS authentication server returns an Access-Accept message to the router. The Access-Accept message includes attributes for the subscriber session.


    Once the preauthenticated subscriber has been successfully authenticated by the RADIUS authentication server, all subsequent RADIUS request messages, such as Accounting-Request messages, will include the LLID in the Calling-Station-Id attribute.


For tunneled PPP subscribers, the router, acting as an L2TP access concentrator (LAC), encodes the LLID into Calling Number AVP (L2TP attribute 22) and sends the attribute to the L2TP network server (LNS) in an Incoming-Call-Request (ICRQ) packet. After a successful preauthentication request, the router always encodes the LLID in the L2TP Calling Number AVP.

RADIUS Attributes for LLID Preauthentication Requests

Table 1 lists the RADIUS IETF attributes used in a preauthentication request to obtain a subscriber’s LLID, and describes the information that is included in the attributes. In some cases, preauthentication uses an attribute for information that is different than the IETF description—the table indicates any non-standard use of RADIUS attributes.

Table 1: RADIUS Attributes for LLID Preauthentication Requests

Attribute Number

Attribute Name




(Non-standard use of attribute.) Identifying information for the user associated with the LLID, in the following format.


Example: nas-port:


The router strips any dynamically generated information from the User-Name attribute during preauthentication.



(Non-standard use of attribute.) Password of the user to be authenticated.

Example: Always set to juniper



IP address of the network access server (NAS) that is requesting authentication of the user




Physical port number of the NAS that is authenticating the user. Always interpreted as a bit field



Type of service the user requested or the type of service to be provided.

Example: gold-service



Type of physical port the NAS is using to authenticate the user. You can use the ethernet-port-type-virtual statement to configure this to virtual (type 5).



(Non-standard use of attribute.) The user name.




Text string that identifies the physical interface of the NAS that is authenticating the user. Includes any dynamically generated information.

Example: ge 1/0/5:100

Configuring Logical Line Identification (LLID) Preauthentication

The logical line identification (LLID) feature enables service providers to track subscribers on the basis of a virtual port — the LLID — rather than by the physical port used by the subscriber. The LLID is assigned by a RADIUS preauthentication server, which you configure in an access profile.

To configure the router to support preauthentication for the LLID feature:


You cannot configure the preauthentication statements in this procedure if you have configured the radius attributes exclude statement to exclude the Calling-Station-ID attribute from RADIUS Access-Request messages.

  1. Specify the access profile you want to use for the subscriber preauthentication support.

  2. Specify the order in which the router uses the supported preauthentication methods. radius is the only supported authentication method.

  3. Specify that you want to configure RADIUS support.

  4. Specify the IP address of the RADIUS server used for preauthentication.


    The preauthentication feature uses the retry and timeout parameters that are configured for the RADIUS authentication server.

  5. (Optional) Display AAA preauthentication statistics.

  6. (Optional) Verify configuration of the RADIUS preauthentication server.

Configuring a Port and Password for LLID Preauthentication Requests

You can configure a router that operates as the RADIUS client to contact a RADIUS server for authentication and preauthentication requests on two different UDP ports and using different secret passwords. Similar to configuring the port numbers for authentication and accounting requests, you can define a unique port number that the router uses to contact the RADIUS server for logical line identification (LLID) preauthentication requests. You can also define a unique password for preauthentication requests. If you do not configure a separate UDP port or secret for preauthentication purposes, the same UDP port and secret that you configure for authentication messages is used.

To configure a unique UDP port number to be used to contact the RADIUS server for preauthentication requests, include the preauthentication-port port-number statement at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.

  • To specify the UDP port for all of the access profiles:

  • To specify the UDP port for a specific access profile:

To configure the password to be used to contact the RADIUS preauthentication server, include the preauthentication-secret password statement at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.

  • To specify the password for all of the access profiles:

  • To specify the password for a specific access profile:

Verifying and Managing LLID Preauthentication Configuration


Display statistics and configuration information related to logical line identification (LLID) preauthenticaion.


  • To display LLID preauthentication statistics:

  • To display information about preauthentication servers: