ANI/CLI authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

ANI/CLI authentication

Automatic Number Identification/Calling Line Identification (ANI/CLI) authentication is the authentication of a connection attempt based on the phone number of the caller. ANI/CLI service returns the number of the caller to the receiver of the call and is provided by most standard telephone companies.

ANI/CLI authentication is different from caller ID authorization. In caller ID authorization, the caller sends a valid user name and password. The caller ID that is configured for the dial-in property on the user account must match the connection attempt; otherwise, the connection attempt is rejected. In ANI/CLI authentication, a user name and password are not sent.

To identify ANI/CLI-based connections and apply the appropriate connection settings, you must do the following:

1. Enable unauthenticated access on the remote access server. For more information, see Enable authentication protocols.

2. Enable unauthenticated access on the appropriate remote access policy for ANI/CLI-based authentication. For more information, see Introduction to remote access policies and Configure authentication.

3. Create a user account for each number that will be calling for which you want to provide ANI/CLI authentication. The name of the user account must match the number that the user is dialing from. For example, if a user is dialing in from 555-0100, create a "5550100" user account.

4. Set the following registry value to 31 on the authenticating server (either the remote access server or the IAS server):

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\User Identity Attribute

   This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31, Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only when there is no user name being supplied in the connection attempt.

   To always use the calling number as the user identity, set the following registry value to 1 on the authenticating server:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Override User-Name

   However, if you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating server can only perform ANI/CLI-based authentication. Normal authentication by using authentication protocols such as MS-CHAP, CHAP, and EAP is disabled.

Note

• Changes to the registry settings will not take effect until the Routing and Remote Access service or the Internet Authentication Service are restarted.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.