We are setting up a PPP/IP VPDN service to a SITA Home Gateway. The SITA
Home Gateway is to be made available to selected customers.
Customers call a NAS (PSTN or ISDN) where the callers destination domain
(Home Gateway) is authenticated using CHAP and CiscoSecure. When
authenticated, the NAS establishes an L2F tunnel
the SITA managed Home Gateway.
The Home Gateway has to establish if the remote caller is a legitimate
customer or not.
We want to do this by having the Home Gateway check the customers Calling
Line Id validated (CLID) with that ofa known user/CLID on the security server.
The problem we have is that the CLID is not passed on to the Home Gateway.
The NAS does see the CLID when the ISDN call comes in. The NAS picks up the
CLID and assigns it to the 'rem_addr' field. After the subsequent CPE CHAP
challenge/NAS authentication exchange with the server, the sucessfull call
has the rem_addr field updated with an IP addresses used in tunnel creation.
The rem_addr field is not sent to the Home Gateway, it seems to just tell
the NAS where te establish the tunnel.
Is the failure of the NAS to send the CLID to the Home Gateway is a bug or
not ? In this situation, the CLID enables us (SITA) to associate a call with
a known customer and location.
Alternatively, if we (SITA), were providing a VPDN service for specific
private customer Home Gateway, and that customer wanted to do his own
CHAP/CLID authentication, he would not be able to do so as the CLID
information is not passed on. This is a likely scenario for us.
Having the NAS verify the CLID may be possible, but is much more
restrictive. It restricts us to a single database, and in the case above
(VPDN for a private customer) would force us to be involved/responsible for
their authentication process. If the CLID info was passed on, the customer
could maintain his own database.
I can send configs if necessary....