8-48
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing External Identity Stores
Callback Options for Dial-In users
If the callback option is enabled, the server calls the caller back during the connection process. The
phone number that is used by the server is set either by the caller or the network administrator.
The possible callback options are:
No callback
Set by Caller (routing and remote access service only). This option can be used to define a series of
static IP routes that are added to the routing table of the server running the Routing and Remote
Access service when a connection is made.
Always callback to (with an option to set a number). This option can be used to assign a specific IP
address to a user when a connection is made
The callback attributes should be returned on the RADIUS response to the device.

Dial-In Support Attributes

The user attributes on Active Directory are supported on the following servers:
Windows Server 2003
Windows Server 2003 R2
Windows Server 2008
Windows Server 2008 R2
ACS does not support Dial-in users on Windows 2000.
ACS Response
If you enable the dial-in check on ACS Active Directory and the user's dial-in option is 'Deny Access'
on Active Directory, the authentication request is rejected with a message in the log, indicating that
dial-in access is denied. If a user fails an MSCHAP v1/v2 authentication if the dial-in is not enabled,
ACS should set on the EAP response a proper error code (NT error = 649).
In case that the callback options are enabled, the ACS RADIUS response contains the returned Service
Type and Callback Number attributes as follows:
If callback option is Set by Caller or Always Callback To, the service-type attribute should be
queried on Active Directory during the user authentication. The service-type can be the following:
3 = Callback Login
4 = Callback Framed
9 = Callback NAS Prompt
This attribute should be returned to the device on Service-type RADIUS attribute. If ACS is already
configured to return service-type attribute on the RADIUS response, the service-type value queried
for the user on Active Directory replaces it.
If the Callback option is Always Callback To, the callback number should also be queried on the
Active Directory user. This value is set on the RADIUS response on the Cisco-AV-Pair attribute with
the following values:
cisco-av-pair=lcp:callback-dialstring=[callback number value]
cisco-av-pair=Shell:callback-dialstring=[callback number value]
cisco-av-pair=Slip:callback-dialstring=[callback number value]
cisco-av-pair=Arap:callback-dialstring=[callback number value]