|
|
This feature module describes the Preauthentication with ISDN PRI and Channel-Associated Signalling feature. It includes information on the benefits of the new feature, supported platforms, and related documents.
This document includes the following sections:
With ISDN PRI or channel-associated signalling (CAS), information about an incoming call is available to the network access server (NAS) before the call is connected. The available call information includes
The Preauthentication with ISDN PRI and Channel-Associated Signalling feature allows a Cisco NAS to decide—on the basis of the DNIS number, the CLID number, or the call type—whether to connect an incoming call.
When an incoming call arrives from the public network switch, but before it is connected, this feature enables the NAS to send the DNIS number, CLID number, and call type to a RADIUS server for authorization. If the server authorizes the call, then the NAS accepts the call. If the server does not authorize the call, then the NAS sends a disconnect message to the public network switch to reject the call.
In the event that the RADIUS server application becomes unavailable or is slow to respond, this feature allows a guard timer to be set in the NAS. When the timer expires, the NAS uses a configurable parameter to accept or reject the incoming call that has no authorization.
This feature supports the use of attribute 44 by the RADIUS server application. (For more information about attribute 44 and how it works with preauthentication, refer to the Cisco IOS Release 12.0(7)T feature module entitled RADIUS Attribute 44 (Accounting Session ID) in Access Requests.)
This feature also supports the use of new RADIUS attributes. These RADIUS attributes are configured in the RADIUS preauthentication profiles to specify preauthentication behavior. They may also be used, for instance, to specify whether subsequent authentication should occur and, if so, what authentication method should be used.
The Preauthentication with ISDN PRI and Channel-Associated Signalling feature offers the following benefits:
The following restriction applies to preauthentication with ISDN PRI:
The following restriction applies to preauthentication with CAS:
This feature makes use of the functionality described in the 12.0(7)T feature module entitled
RADIUS Attribute 44 (Accounting Session ID) in Access Requests.
This feature also makes use of the functionality described in the 12.1(3)T feature module entitled Call Tracker Plus ISDN and AAA Enhancements for the Cisco AS5300 and Cisco AS5800.
The following documents provide information related to this feature:
This feature runs on the following platforms:
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
To configure preauthentication, you must first enable the aaa new-model command.
The supporting preauthentication application must be running on a RADIUS server in your network.
See the following sections for configuration tasks for the Preauthentication with ISDN PRI and Channel-Associated Signalling feature. Each task in the list is identified as optional or required.
To configure authentication, authorization, and accounting (AAA) preauthentication, use the following commands beginning in global configuration mode.
To enter AAA preauthentication configuration mode, use the aaa preauth command.
To configure preauthentication, use some combination of the aaa preauth commands: group, clid, ctype, dnis, and dnis bypass.
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)# aaa preauth | Enters AAA preauthentication configuration mode. |
Step 2 | Router(config-preauth)# group server-group | Specifies the AAA RADIUS server group to use for preauthentication. |
Step 3 | Router(config-preauth)# clid [if-avail | required] [accept-stop] [password string] | Preauthenticates calls on the basis of the CLID number. |
Step 4 | Router(config-preauth)# ctype [if-avail | required] [accept-stop] [password string] | Preauthenticates calls on the basis of the call type. |
Step 5 | Router(config-preauth)# dnis [if-avail | required] [accept-stop] [password string] | Preauthenticates calls on the basis of the DNIS number. |
Step 6 | Router(config-preauth)# dnis bypass {dnis-group-name}
| Specifies a group of DNIS numbers that will be bypassed for preauthentication. |
In addition to using the above commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server. For information on setting up the preauthentication profiles, see the following sections:
To preauthenticate calls on the basis of the DNIS or CLID number, you must enter the dnis or clid command, as indicated in the section "Configuring Preauthentication."
You must also set up the RADIUS preauthentication profile: use the DNIS or CLID number as the username, and use the password defined in the dnis or clid command as the password.
 |
Note The preauthentication profile must have "outbound" as the service type because the password is predefined on the NAS. Setting up the preauthentication profile in this manner prevents users from trying to log in to the NAS with the username of the DNIS number, CLID number, or call type and an obvious password. The "outbound" service type is also included in the access-request packet sent to the RADIUS server. |
To preauthenticate calls on the basis of the call type, you must enter the ctype command, as indicated in the section "Configuring Preauthentication."
You must also set up the RADIUS preauthentication profile: use the call type string as the username, and use the password defined in the ctype command as the password. The following table shows the call type strings that may be used in the preauthentication profile:
Call Type String | ISDN Bearer Capabilities |
|---|---|
|
|
|
|
|
|
|
|
|
Note Speech is the only call type available for CAS. |
|
Note The preauthentication profile must have "outbound" as the service type because the password is predefined on the NAS. Setting up the preauthentication profile in this manner prevents users from trying to log in to the NAS with the username of the DNIS number, CLID number, or call type and an obvious password. The "outbound" service type is also included in the access-request packet sent to the RADIUS server and should be a check-in item if the RADIUS server supports check-in items. |
When DNIS, CLID, or call type preauthentication is used, the affirmative response from the RADIUS server may include a modem string for modem management in the NAS through vendor-specific attribute (VSA) 26. The modem management VSA has the following syntax:
cisco-avpair = "preauth:modem-service=modem min-speed <x> max-speed <y>
modulation <z> error-correction <a> compression <b>"
The modem management string within the VSA may contain the following:
Command | Argument |
|---|---|
|
|
|
|
|
|
|
|
|
|
When the modem management string is received from the RADIUS server in the form of a VSA, the information is passed to the Cisco IOS software and applied on a per-call basis. Modem ISDN channel aggregation (MICA) modems provide a control channel through which messages can be sent during the call setup time. Hence, this modem management feature is supported only with MICA modems and newer technologies. This feature is not supported with Microcom modems.
If preauthentication passes, you may use vendor-proprietary RADIUS attribute 201 (Require-Auth) in the preauthentication profile to determine whether subsequent authentication is to be performed. If attribute 201, returned in the access-accept message, has a value of 0, then subsequent authentication will not be performed. If attribute 201 has a value of 1, then subsequent authentication will be performed as usual.
Attribute 201 has the following syntax:
cisco-avpair = "preauth:auth-required=<n>"
where <n> has the same value range as attribute 201 (that is, 0 or 1).
If attribute 201 is missing in the preauthentication profile, then a value of 1 is assumed, and subsequent authentication is performed.
|
Note To perform subsequent authentication, you must set up a regular user profile in addition to a preauthentication profile. |
If you have specified subsequent authentication in the preauthentication profile, you must also specify the authentication types to be used for subsequent authentication. To specify the authentication types allowed in subsequent authentication, use the following VSA:
cisco-avpair = "preauth:auth-type=<string>"
where <string> can be one of the following:
String | Description |
|---|---|
|
|
|
|
|
|
| 1CHAP = Challenge Handshake Authentication Protocol 2MS-CHAP = Microsoft version of CHAP 3PAP = Password Authentication Protocol |
To specify that multiple authentication types are allowed, you can configure more than one instance of this VSA in the preauthentication profile. The sequence of the authentication type VSAs in the preauthentication profile is significant because it specifies the order of authentication types to be used in the PPP negotiation.
This VSA is a per-user attribute and replaces the authentication type list in the ppp authentication interface command.
|
Note You should use this VSA only if subsequent authentication is required because it specifies the authentication type for subsequent authentication. |
If only preauthentication is used to authenticate a call, the NAS could be missing a username when it brings up the call. RADIUS may provide a username for the NAS to use through RADIUS attribute 1 (User-Name) or through a VSA returned in the access-accept packet. The VSA for specifying the username has the following syntax:
cisco-avpair = "preauth:username=<string>"
If no username is specified, the DNIS number, CLID number, or call type is used, depending on the last preauthentication command that has been configured (for example, if clid was the last preauthentication command configured, the CLID number will be used as the username).
If subsequent authentication is used to authenticate a call, there might be two usernames: one provided by RADIUS and one provided by the user. In this case, the username provided by the user overrides the one contained in the RADIUS preauthentication profile; the username provided by the user is used for both authentication and accounting.
If only preauthentication is configured, then subsequent authentication will be bypassed. Note that because the username and password are not available, authorization will also be bypassed. However, you may include authorization attributes in the preauthentication profile to apply per-user attributes and avoid having to return subsequently to RADIUS for authorization. To initiate the authorization process, you must also configure the aaa authorization network command on the NAS.
You may configure authorization attributes in the preauthentication profile with one exception: the Service-Type attribute. The Service-Type attribute must be converted to a VSA in the preauthentication profile. This VSA has the following syntax:
cisco-avpair = "preauth:service-type=<n>"
where <n> is one of the standard RFC 2138 values for attribute 6. Here is the list of possible Service-Type values:
Value | Description |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note If subsequent authentication is required, the authorization attributes in the preauthentication profile will not be applied. |
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use one of the following commands in interface configuration mode:
| Command | Purpose |
|---|---|
Router(config-if)# isdn guard-timer milliseconds
[on-expiry {accept | reject}]
| Sets an ISDN guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request. |
Router(control-config)# call guard-timer milliseconds
[on-expiry {accept | reject}]
| Sets a CAS guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request. |
The radius-server attribute 44 on-for-access-req command allows the RADIUS daemon to track a call from the beginning of the call to the end of the call (for example, from the preauthentication stage to the accounting stop record stage). Specifically, this command allows RADIUS attribute 44 to be generated and sent in all access requests to the RADIUS server before the generation of accounting packets (these access requests include preauthentication requests).
To send RADIUS attribute 44 (Accounting Session ID) in access-request packets before user authentication (for example, in preauthentication and VPDN requests), use the following command in global configuration command mode:
| Command | Purpose |
|---|---|
Router(config)# radius-server attribute 44 on-for-access-req | Sends RADIUS attribute 44 (Accounting Session ID) in access-request packets before user authentication (for example, in preauthentication and VPDN requests). |
To verify preauthentication, use the following commands in privileged EXEC mode:
| Command | Purpose |
|---|---|
Router# more system:running-config | Displays the contents of the current running configuration file. (Note that the more system:running-config command has replaced the show running-config command.) |
Router# debug aaa authorization | Displays information on authorization. The debug output displays a line for each attribute-value pair that is authenticated. |
Router# debug radius | Displays information about RADIUS. |
This section provides the following configuration examples:
The following example shows a simple configuration that specifies that the DNIS number be used for preauthentication:
aaa preauth group radius dnis required
The following example shows a configuration that specifies that both the DNIS number and the CLID number be used for preauthentication. DNIS preauthentication will be performed first, followed by CLID preauthentication.
aaa preauth group radius dnis required clid required
The following example specifies that preauthentication be performed on all DNIS numbers except the two DNIS numbers specified in the DNIS group called hawaii:
aaa preauth group radius dnis required dnis bypass hawaii dialer dnis group hawaii number 12345 number 12346
|
Note To configure preauthentication, you must also set up preauthentication profiles on the RADIUS server. |
The following example shows an ISDN guard timer that is set at 8000 milliseconds. A call will be rejected if the RADIUS server has not responded to a preauthentication request when the timer expires.
interface serial1/0/0:23 isdn guard-timer 8000 on-expiry reject aaa preauth group radius dnis required
The following example shows a CAS guard timer that is set at 20,000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.
controller T1 0 framing esf clock source line primary linecode b8zs ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0 call guard-timer 20000 on-expiry accept aaa preauth group radius dnis required
The following example shows a configuration that sends RADIUS attribute 44 in access-request packets before user authentication:
aaa new-model aaa authentication ppp default group radius radius-server host 10.100.1.34 radius-server attribute 44 on-for-access-req
This section documents a new command for Preauthentication with CAS, as well as recently introduced commands for Preauthentication with ISDN PRI. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
To enter AAA preauthentication configuration mode, use the aaa preauth global configuration command. To disable preauthentication, use the no form of this command.
aaa preauthSyntax Description
This command has no arguments or keywords.
Defaults
Preauthentication is not enabled.
Command Modes
Global configuration
Command History
12.1(2)T This command was introduced.
Release
Modification
Usage Guidelines
To enter AAA preauthentication configuration mode, use the aaa preauth command. To configure preauthentication, use some combination of the aaa preauth commands: group, clid, ctype, dnis, and dnis bypass. You must use the group command. You must also use one or more of the clid, ctype, dnis, or dnis bypass commands.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
You can use the clid, ctype, or dnis commands to define the list of the preauthentication elements. For each preauthentication element, you can also define options such as password (for all the elements, the default password is cisco). If you specify multiple elements, the preauthentication process will be performed on each element according to the order of the elements that you configure with the preauthentication commands. In this case, more than one RADIUS preauthentication profile is returned, but only the last preauthentication profile will be applied to the authentication and authorization later on, if applicable.
Examples
The following example shows a configuration that specifies that both the DNIS number and the CLID number be used for preauthentication. DNIS preauthentication will be performed first, followed by CLID preauthentication.
aaa preauth group radius dnis required clid required
Related Commands
call guard-timer Sets a CAS guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request. clid Preauthenticates calls on the basis of the CLID number. ctype Preauthenticates calls on the basis of the call type. dnis Preauthenticates calls on the basis of the DNIS number. dnis bypass Specifies a group of DNIS numbers that will be bypassed for preauthentication. group Specifies the AAA RADIUS server group to use for preauthentication. isdn guard-timer Sets an ISDN guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request.
Command
Description
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer interface configuration command. To remove the call guard-timer command from your configuration file, use the no form of this command.
call guard-timer milliseconds [on-expiry {accept | reject}]
Syntax Description
milliseconds Specifies the number of milliseconds to wait for a response from the RADIUS server. on-expiry accept (Optional) Accepts the call if a response is not received from the RADIUS server within the specified time. on-expiry reject (Optional) Rejects the call if a response is not received from the RADIUS server within the specified time.
Defaults
No default behavior or values.
Command Modes
Controller configuration
Command History
12.1(3)T This command was introduced.
Release
Modification
Examples
The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.
controller T1 0 framing esf clock source line primary linecode b8zs ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0call guard-timer 20000 on-expiry accept
aaa preauth group radiusdnis required
Related Commands
aaa preauth Enters AAA preauthentication configuration mode.
Command
Description
To preauthenticate calls on the basis of the CLID number, use the clid AAA preauthentication configuration command. To remove the clid command from your configuration, use the no form of this command.
clid [if-avail | required] [accept-stop] [password string]
Syntax Description
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes. required (Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails. accept-stop (Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element. password string (Optional) Defines the password for the preauthentication element.
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
12.1(2)T This command was introduced.
Release
Modification
Usage Guidelines
You may use more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of commands used decides the sequence of the preauthentication conditions. For example, if you use dnis, then clid, then ctype, in that order, then that is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the CLID number:
aaa preauth group radius clid required
Related Commands
ctype Preauthenticates calls on the basis of the call type. dnis Preauthenticates calls on the basis of the DNIS number. dnis bypass Specifies a group of DNIS numbers that will be bypassed for preauthentication. group Specifies the AAA RADIUS server group to use for preauthentication.
Command
Description
To preauthenticate calls on the basis of the call type, use the ctype AAA preauthentication configuration command. To remove the ctype command from your configuration, use the no form of this command.
ctype [if-avail | required] [accept-stop] [password string]
Syntax Description
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes. required (Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails. accept-stop (Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element. password string (Optional) Defines the password for the preauthentication element.
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
12.1(2)T This command was introduced.
Release
Modification
Usage Guidelines
You may use more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you use dnis, then clid, then ctype, in that order, then that is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Set up the RADIUS preauthentication profile, specifying the call type string as the username and defining the password in the ctype command as the password. The following table shows the call type strings that you may use in the preauthentication profile:
Call Type String | ISDN Bearer Capabilities |
|---|---|
|
|
|
|
|
|
|
|
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the call type:
aaa preauth group radius ctype required
Related Commands
clid Preauthenticates calls on the basis of the CLID number. dnis Preauthenticates calls on the basis of the DNIS number. dnis bypass Specifies a group of DNIS numbers that will be bypassed for preauthentication. group Specifies the AAA RADIUS server group to use for preauthentication.
Command
Description
To preauthenticate calls on the basis of the DNIS number, use the dnis AAA preauthentication configuration command. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password string]
Syntax Description
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes. required (Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails. accept-stop (Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element. password string (Optional) Defines the password for the preauthentication element.
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
12.1(2)T This command was introduced.
Release
Modification
Usage Guidelines
You may use more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you use dnis, then clid, then ctype, in that order, then that is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the DNIS number:
aaa preauth group radius dnis required
Related Commands
clid Preauthenticates calls on the basis of the CLID number. ctype Preauthenticates calls on the basis of the call type. dnis bypass Specifies a group of DNIS numbers that will be bypassed for preauthentication. group Specifies the AAA RADIUS server group to use for preauthentication.
Command
Description
To specify a group of DNIS numbers that will be bypassed for preauthentication, use the dnis bypass AAA preauthentication configuration command. To remove the dnis bypass command from your configuration, use the no form of this command.
dnis bypass {dnis-group-name}
Syntax Description
dnis-group-name Name of the defined DNIS group.
Defaults
This command is not enabled.
Command Modes
AAA preauthentication configuration
Command History
12.1(2)T This command was introduced.
Release
Modification
Usage Guidelines
You must first create a DNIS group with the dialer dnis group command before using this command.
Examples
The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii:
aaa preauth group radius dnis required dnis bypass hawaii dialer dnis group hawaii number 12345 number 12346
Related Commands
dialer dnis group Creates a DNIS group. dnis Preauthenticates calls on the basis of the DNIS number.
Command
Description
To specify the AAA RADIUS server group to use for preauthentication, use the group AAA preauthentication configuration command. To remove the group command from your configuration, use the no form of this command.
group server-group
Syntax Description
server-group Specifies a AAA RADIUS server group.
Defaults
No default behavior or values.
Command Modes
AAA preauthentication configuration
Command History
12.1(2)T This command was introduced.
Release
Modification
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must use the group command before using any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called maestro and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestro server 1.1.1.1 server 2.2.2.2 server 3.3.3.3 aaa preauth group maestro dnis required
Related Commands
aaa group server radius Groups different RADIUS server hosts into distinct lists and distinct methods. clid Preauthenticates calls on the basis of the CLID number. ctype Preauthenticates calls on the basis of the call type. dnis Preauthenticates calls on the basis of the DNIS number. dnis bypass Specifies a group of DNIS numbers that will be bypassed for preauthentication.
Command
Description
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the isdn guard-timer interface configuration command. To remove the isdn guard-timer command from your configuration file, use the no form of this command.
isdn guard-timer milliseconds [on-expiry {accept | reject}]
Syntax Description
milliseconds Specifies the number of milliseconds to wait for a response from the RADIUS server. on-expiry accept (Optional) Accepts the call if a response is not received from the RADIUS server within the specified time. on-expiry reject (Optional) Rejects the call if a response is not received from the RADIUS server within the specified time.
Defaults
The default is to reject the call.
Command Modes
Interface configuration
Command History
12.1(2)T This command was introduced.
Release
Modification
Examples
The following example shows a guard timer that is set at 8000 milliseconds. A call will be rejected if the RADIUS server has not responded to a preauthentication request when the timer expires.
interface serial1/0/0:23 isdn guard-timer 8000 on-expiry reject aaa preauth group radius dnis required
Related Commands
aaa preauth Enters AAA preauthentication configuration mode.
Command
Description
AAA—authentication, authorization, and accounting. Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
authentication, authorization, and accounting—See AAA.
Calling Line Identification—See CLID.
CAS—channel-associated signalling. Call signalling that enables the access server to send or receive analog calls.
Challenge Handshake Authentication Protocol—See CHAP.
channel-associated signalling—See CAS.
CHAP—Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access; it merely identifies the remote end. The router or access server then determines whether that user is allowed access. Compare to PAP.
CLID—Calling Line Identification. Also called Caller ID. CLID provides the number from which a call originates.
Dialed Number Identification Service—See DNIS.
DNIS—Dialed Number Identification Service. DNIS provides the number that is dialed.
Integrated Services Digital Network—See ISDN.
ISDN—Integrated Services Digital Network. Communication protocol, offered by telephone companies, that permits telephone networks to carry data, voice, and other source traffic.
MICA—modem ISDN channel aggregation. Modem module and card used in the Cisco AS5300 universal access servers. A MICA modem provides an interface between an incoming or outgoing digital call and an ISDN telephone line; the call does not have to be converted to analog, as it does with a conventional modem and an analog telephone line. Each line can accommodate, or aggregate, up to 24 (T1) or 30 (E1) calls.
modem ISDN channel aggregation—See MICA.
MS-CHAP—Microsoft version of CHAP.
NAS—network access server. Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the Public Switched Telephone Network).
network access server—See NAS.
PAP—Password Authentication Protocol. Authentication protocol that allows PPP peers to authenticate one another. The remote router attempting to connect to the local router is required to send an authentication request. Unlike CHAP, PAP passes the password and host name or username in the clear (unencrypted). PAP does not itself prevent unauthorized access; it merely identifies the remote end. The router or access server then determines if that user is allowed access. PAP is supported only on PPP lines. Compare with CHAP.
Password Authentication Protocol—See PAP.
PPP—Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. Whereas SLIP was designed to work with IP, PPP was designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has built-in security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP.
PRI—Primary Rate Interface. ISDN interface to primary rate access. Primary rate access consists of a single 64-Kbps D channel plus 23 (T1) or 30 (E1) B channels for voice or data.
Primary Rate Interface—See PRI.
PSTN—Public Switched Telephone Network. General term referring to the variety of telephone networks and services in place worldwide. Sometimes called POTS (plain old telephone service).
Public Switched Telephone Network—See PSTN.
RADIUS—Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
vendor-specific attribute—See VSA.
VSA—vendor-specific attribute. An attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting AV pair: essentially,
Vendor-Specific = "protocol:attribute=value".
Posted: Tue Sep 19 17:52:02 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.