3.3 PPP Callback
3.3.2 Callback: how does it work?
The asynchronous callback feature supports EXEC, PPP, and ARAP sessions. The main motivation for callback is for telephone bill consolidation and dialup cost savings. It is not positioned as a security feature; however, if the callback number is assigned in the authentication database, security is enforced because callbacks are made only to assigned telephone numbers. The incoming calls go through the normal login process and must pass authentication before callback can occur, as shown in Figure .

The callback feature employs a two-pass process:

  1. On the first pass, the callback engine determines which target line to use for callback and hangs up on the incoming line. Then, the callback engine dials back to the remote user through the target line by using the dial string provided.
  2. On the second pass, the callback engine proceeds normally, as if there were no callback.

To make callback work properly, you must make sure that callback is configured for each autoselect protocol that is defined for any given remote user. Otherwise, the remote dial-in autoselect process may work, but no callback occurs.

The PPP callback operation consists of the following events :

  1. The callback client initiates the call. The client requests callback by using the callback option during the PPP LCP negotiation phase.
  2. The callback server acknowledges the callback request and checks its configuration to verify that callback is enabled.
  3. The callback client and server authenticate by using either CHAP or PAP authentication. The username is used to identify the dial string for the return call.
  4. After successful initial authentication, the callback server router identifies the callback dial string. The callback server compares the username of the authentication to the host name in a dialer map table. The dial string can be identified by a mapping table or by the Callback Option Message field during the PPP LCP negotiations. The Callback Option Message field is defined in RFC 1570.
    The commands
    dialer callback-secure, ppp callback accept, and ppp authentication pap or ppp authentication chap are enabled on an interface; all calls answered on that interface are disconnected after authentication and Steps 5-8 occur (as follows):
  5. If the dialer callback-secure is not enabled, the callback server maintains the initial call if the authenticated username is not configured for callback.
    The initiating call is disconnected by the callback server.
  6. The callback server uses the dial string to initiate the callback. If the return call fails, no additional calls are attempted. Callback is not negotiated on the return call.
  7. Authentication occurs.
  8. The connection proceeds.

Callback Negotiation

If a caller requests a callback but the server is not set to accept a callback, the answering router maintains the initial call.