The asynchronous callback feature
supports EXEC, PPP, and ARAP sessions. The main motivation for
callback is for telephone bill consolidation and dialup cost
savings. It is not positioned as a security feature; however, if the
callback number is assigned in the authentication database, security
is enforced because callbacks are made only to assigned telephone
numbers. The incoming calls go through the normal login process and
must pass authentication before callback can occur, as shown in
Figure .
The callback feature employs a
two-pass process:
- On the first pass, the callback engine
determines which target line to use for callback and hangs up on the incoming line. Then, the callback engine
dials back to the remote user through the target line by using the
dial string provided.
- On the second pass, the callback engine
proceeds normally, as if there were no callback.
To make callback work properly, you must make
sure that callback is configured for each autoselect protocol that
is defined for any given remote user. Otherwise, the remote dial-in
autoselect process may work, but no callback occurs.
The PPP callback operation consists of the
following events :
- The callback client initiates the call.
The client requests callback by using the callback option during
the PPP LCP negotiation phase.
- The callback server acknowledges the
callback request and checks its configuration to verify that
callback is enabled.
- The callback client and server
authenticate by using either CHAP or PAP authentication. The
username is used to identify the dial string for the return call.
- After successful initial authentication,
the callback server router identifies the callback dial string.
The callback server compares the username of the authentication to
the host name in a dialer map table. The dial string can be
identified by a mapping table or by the Callback Option Message
field during the PPP LCP negotiations. The Callback Option Message
field is defined in RFC 1570.
The commands dialer
callback-secure, ppp callback accept, and
ppp authentication pap or
ppp authentication chap are enabled
on an interface; all calls answered on that interface are
disconnected after authentication and Steps 5-8 occur (as
follows):
- If the dialer callback-secure is not
enabled, the callback server maintains the initial call if the
authenticated username is not configured for callback.
The initiating call is disconnected by the
callback server.
- The callback server uses the dial string
to initiate the callback. If the return call fails, no additional
calls are attempted. Callback is not negotiated on the return
call.
- Authentication occurs.
- The connection proceeds.
Callback Negotiation
If a caller requests a callback but the server
is not set to accept a callback, the answering router maintains the
initial call.
|