Finding Feature Information

Prerequisites for Terminal Line Security for PAD Connections

Restrictions for Terminal Line Security for PAD Connections

Information About Terminal Line Security for PAD Connections

X.25 closed user group (CUG) service is a network service that allows subscribers to be segregated into private subnetworks with limited outgoing and incoming access. A data terminal equipment (DTE) device becomes a member of a CUG by subscription; the DTE must obtain membership from its network service for the set of CUGs to which it needs access.

The Terminal Line Security for PAD Connections feature allows a CUG service to be configured on terminal lines, enabling terminal lines to participate in X.25 CUG security for packet assembler/disassembler (PAD) connections. A CUG service can be applied to console lines, auxiliary lines, and tty and vty devices. Configuring a CUG service on terminal lines allows you to specify CUG protection for lines that are part of the point of presence (POP). Before the introduction of this feature, a CUG service could be configured only on X.25 synchronous data communications equipment (DCE) interfaces.

A line configured for CUG service will apply CUG security to PAD, X.28 mode, and protocol translation sessions. The Terminal Line Security for PAD Connections feature ensures that CUG protection is applied to incoming calls destined for the terminal line and call requests specified from the line. This feature also supports the signaling of the CUG selection facility in call requests that originated on the line and incoming calls received on an X.25 service that are terminated by the line.

Figure 1 shows a typical topology in which CUG service would be configured on asynchronous terminal lines.

Figure 1. Network Topology with Asynchronous Lines Configured for CUG Service

• Security Considerations
• PAD Call Behavior When a Line Is Configured for CUG Subscription
• Benefits

Security Considerations

Caution

X.25 CUG security relies on the correct, complementary configuration of CUG sets at all the boundaries between customer premises equipment (CPE) and POPs. Any POP that is connected to a CPE device that is not configured for CUG security has compromised the X.25 network security because that CPE device will be a considered a trusted host, even though it is not secure.

interface Serial1
 encapsulation x25 dce
 x25 facility cug 99
 x25 map pad 1221 cug 10 no-outgoing
 x25 map pad 1222 cug 99
 x25 map pad 1234 cug 10
!
line tty 1
 x25 subscribe cug-service
 x25 subscribe local-cug 99 network-cug 9999 preferential
 x25 subscribe local-cug 10 network-cug 100
 x25 subscribe local-cug 20 network-cug 200
!
[...]
!
x25 route ^12..$ interface Serial1
[...]

interface Serial1
 encapsulation x25 dce
  x25 subscribe cug-service
 x25 subscribe local-cug 5599 network-cug 9999 preferential
 x25 subscribe local-cug 5510 network-cug 100
 x25 subscribe local-cug 5520 network-cug 200
 x25 facility cug 99
 x25 map pad 1234 cug 10
 x25 map pad 1221 cug 10 no-outgoing
 x25 map pad 1222 cug 99
!
line tty 1
 x25 subscribe cug-service
 x25 subscribe local-cug 10 network-cug 100
 x25 subscribe local-cug 20 network-cug 200
 x25 subscribe local-cug 99 network-cug 9999 preferential
!
[...]
!
x25 route ^12..$ interface Serial1
[...]

How to Configure Terminal Line Security for PAD Connections

Router# show line vty 2
Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
   132 VTY              -    -      -    -    -      0       0     0/0       -
Line 132, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: No Exit Banner
Capabilities: CUG Security Enabled
Modem state: Idle
Group codes:    0
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
                ^^x    none   -     -       none         
Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch
               00:10:00        never                        none    not set
                            Idle Session Disconnect Warning
                              never 
                            Login-sequence User Response
                             00:00:30
                            Autoselect Initial Wait
                              not set
Modem type is unknown.
Session limit is not set.
.
.
.

Router# show x25 cug local-cug
X.25 Serial1/1, 3 CUGs subscribed with no public access
  local-cug 99 <-> network-cug 9999, no-incoming, preferential
  local-cug 100 <-> network-cug 1000 
  local-cug 101 <-> network-cug 1001 
PROFILE cugs, 2 CUGs subscribed with with incoming public access
  local-cug 1 <-> network-cug 10, no-outgoing
  local-cug 2 <-> network-cug 20, no-incoming, preferential
Line: 129 aux 0  , 1 CUGs subscribed with outgoing public access
  local-cug 1 <-> network-cug 10 
Line: 130 vty 0  , 4 CUGs subscribed with incoming and outgoing public access
  local-cug 1 <-> network-cug 10 
  local-cug 50 <-> network-cug 5, preferential
  local-cug 60 <-> network-cug 6, no-incoming
  local-cug 70 <-> network-cug 7, no-outgoing
Line: 131 vty 1   , 1 CUGs subscribed with no public access
  local-cug 1 <-> network-cug 10 

Router# show x25 cug network-cug 10
PROFILE cugs, 2 CUGs subscribed with no public access
  network-cug 10 <-> local-cug 1 , no-outgoing
Line: 129 aux 0   , 1 CUGs subscribed with no public access
  network-cug 10 <-> local-cug 1 
Line: 130 vty 0   , 4 CUGs subscribed with incoming and outgoing public access
  network-cug 10 <-> local-cug 1 
Line: 131 vty 1   , 1 CUGs subscribed with no public access
  network-cug 10 <-> local-cug 1

Router# debug pad

Line 1
 Location Company A. Finance Connection
 x25 subscribe cug-service incoming-access
 x25 subscribe local-cug 1 network-cug 1101 preferential
!
line vty 0 9
 Location Company A. Engineering Access
 x25 subscribe cug-service
 x25 subscribe local-cug 2 network-cug 1102 preferential
 x25 subscribe local-cug 3 network-cug 1103
!

Contents

• Terminal Line Security for PAD Connections
• Finding Feature Information
• Prerequisites for Terminal Line Security for PAD Connections
• Restrictions for Terminal Line Security for PAD Connections
• Information About Terminal Line Security for PAD Connections
• Security Considerations
• PAD Call Behavior When a Line Is Configured for CUG Subscription
• PAD Call Behavior When Only the Line is Configured for CUG Service
• PAD Call Behavior When Both a Line and an Interface Are Configured for CUG Service
• Benefits
• How to Configure Terminal Line Security for PAD Connections
• Configuring X.25 CUG Support on Terminal Lines
• Verifying X.25 CUG Support on Terminal Lines
• Monitoring and Maintaining X.25 CUG Support on Terminal Lines
• Configuration Examples for Terminal Line Security for PAD Connections
• Configuring X.25 CUG Support on Terminal Lines Example
• Additional References
• Feature Information for Terminal Line Security for PAD Connections
• Glossary

Terminal Line Security for PAD Connections

---

This document describes the Terminal Line Security for PAD Connections feature. The Terminal Line Security for PAD Connections feature allows a CUG service to be configured on terminal lines, enabling terminal lines to participate in X.25 CUG security for packet assembler/disassembler (PAD) connections.

• Finding Feature Information
• Prerequisites for Terminal Line Security for PAD Connections
• Restrictions for Terminal Line Security for PAD Connections
• Information About Terminal Line Security for PAD Connections
• How to Configure Terminal Line Security for PAD Connections
• Configuration Examples for Terminal Line Security for PAD Connections
• Additional References
• Feature Information for Terminal Line Security for PAD Connections
• Glossary

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Terminal Line Security for PAD Connections

The tasks in this document assume a basic understanding of the X.25 CUG service and how it works.

Restrictions for Terminal Line Security for PAD Connections

The CUG selection facility suppression options are not available for terminal lines because incoming PAD calls are terminated by the terminal line.

Information About Terminal Line Security for PAD Connections

X.25 closed user group (CUG) service is a network service that allows subscribers to be segregated into private subnetworks with limited outgoing and incoming access. A data terminal equipment (DTE) device becomes a member of a CUG by subscription; the DTE must obtain membership from its network service for the set of CUGs to which it needs access.

The Terminal Line Security for PAD Connections feature allows a CUG service to be configured on terminal lines, enabling terminal lines to participate in X.25 CUG security for packet assembler/disassembler (PAD) connections. A CUG service can be applied to console lines, auxiliary lines, and tty and vty devices. Configuring a CUG service on terminal lines allows you to specify CUG protection for lines that are part of the point of presence (POP). Before the introduction of this feature, a CUG service could be configured only on X.25 synchronous data communications equipment (DCE) interfaces.

A line configured for CUG service will apply CUG security to PAD, X.28 mode, and protocol translation sessions. The Terminal Line Security for PAD Connections feature ensures that CUG protection is applied to incoming calls destined for the terminal line and call requests specified from the line. This feature also supports the signaling of the CUG selection facility in call requests that originated on the line and incoming calls received on an X.25 service that are terminated by the line.

Figure 1 shows a typical topology in which CUG service would be configured on asynchronous terminal lines.

Figure 1. Network Topology with Asynchronous Lines Configured for CUG Service

• Security Considerations
• PAD Call Behavior When a Line Is Configured for CUG Subscription
• Benefits

Security Considerations

Caution

X.25 CUG security relies on the correct, complementary configuration of CUG sets at all the boundaries between customer premises equipment (CPE) and POPs. Any POP that is connected to a CPE device that is not configured for CUG security has compromised the X.25 network security because that CPE device will be a considered a trusted host, even though it is not secure.

PAD Call Behavior When a Line Is Configured for CUG Subscription

This section describes the overall behavior of PAD-initiated calls when a terminal line or an X.25 interface is configured for CUG subscription.

The x25 map pad and x25 facility cug commands can be used to cause a CUG selection facility to be encoded in calls placed within the networks. The following rules describe which CUG selection facility is encoded in the call:

• A call initiated using the pad command or in X.28 mode without a CUG subscription set encodes the interface CUG selection facility, if one was specified.
• A call initiated using the pad command with the /use-map option encodes the CUG selection facility for the matching map entry, if one was specified.
• A call initiated in X.28 mode with a specified CUG encodes the specified X.28 CUG.

• PAD Call Behavior When Only the Line is Configured for CUG Service
• PAD Call Behavior When Both a Line and an Interface Are Configured for CUG Service

PAD Call Behavior When Only the Line is Configured for CUG Service

This section describes PAD call behavior when only the line is configured for CUG service.

Configuration A

In the following example, a line is configured for CUG subscription, and the interface on which the resulting call is to be placed is configured with the x25 facility cug and x25 map pad commands. CUG subscription is not configured on the interface.

interface Serial1
 encapsulation x25 dce
 x25 facility cug 99
 x25 map pad 1221 cug 10 no-outgoing
 x25 map pad 1222 cug 99
 x25 map pad 1234 cug 10
!
line tty 1
 x25 subscribe cug-service
 x25 subscribe local-cug 99 network-cug 9999 preferential
 x25 subscribe local-cug 10 network-cug 100
 x25 subscribe local-cug 20 network-cug 200
!
[...]
!
x25 route ^12..$ interface Serial1
[...]

When the line initiates an X.28 mode or PAD call without a CUG subscription set, the line will decode the interface’s CUG selection facility, and the network will encode the line’s signaled CUG selection facility. The x25 facility cug command implicitly identifies the local CUG to use for PAD-originated calls.

The table below shows the CUG value sent when a line initiates a PAD or an X.28 mode call without a CUG subscription set.

Table 1 CUG Value Sent for Line-Initiated Calls Without a CUG Subscription

User Command	Result
pad 1234	Call 1234, CUG 9999 sent on Serial 1.
*1234	Call 1234, CUG 9999 sent on Serial 1.

Using configuration A, if a call is initiated on a line using the pad command with the /use-map option, the line will decode the matching map entry’s CUG, and the network will encode the line’s signaled CUG selection facility. The map’s CUG identifies the local CUG to use for PAD-originated calls and overrides the interface's CUG selection facility on a per-call basis.

If the pad command is used with the /use-map option, the interface on which the resulting call is to be placed must have a matching X.25 map statement for the PAD call and must permit outgoing calls. Any CUG specified in the map statement must identify the local CUG ID to be used for generating the call.

The table below shows the values sent when a line initiates a PAD call with the /use-map option.

Table 2 CUG Value Sent for Line-Initiated PAD Calls Initiated with the /use-mapOption

User Command	Result
pad 1234 /use-map	Call 1234, CUG 100 sent on Serial 1.
pad 1221 /use-map	Call is cleared, outgoing calls are barred.
pad 1255 /use-map	Call is cleared (no matching map found on Serial 1).

Using configuration A, if an X.28 mode call specifies a CUG, the line will decode the specified CUG, and the network will encode the line's signaled CUG selection facility. The X.28 mode commands do not use X.25 map statements when originating calls.

The table below shows the CUG value sent when a line initiates a call using an X.28 interface with CUG specified.

Table 3 CUG Value Sent for Line-Initiated Calls Using an X.28 Mode with CUG Specified

User Command	Result
*g10-1234	Call 1234, CUG 100 sent on Serial 1.

PAD Call Behavior When Both a Line and an Interface Are Configured for CUG Service

This section describes PAD call behavior when a line and an interface are both configured for CUG service.

Configuration B

In the following example a line and an interface are configured for CUG subscription:

interface Serial1
 encapsulation x25 dce
  x25 subscribe cug-service
 x25 subscribe local-cug 5599 network-cug 9999 preferential
 x25 subscribe local-cug 5510 network-cug 100
 x25 subscribe local-cug 5520 network-cug 200
 x25 facility cug 99
 x25 map pad 1234 cug 10
 x25 map pad 1221 cug 10 no-outgoing
 x25 map pad 1222 cug 99
!
line tty 1
 x25 subscribe cug-service
 x25 subscribe local-cug 10 network-cug 100
 x25 subscribe local-cug 20 network-cug 200
 x25 subscribe local-cug 99 network-cug 9999 preferential
!
[...]
!
x25 route ^12..$ interface Serial1
[...]

The table below shows examples of line-initiated PAD commands and the CUG values sent when the terminal line and the X.25 interface are both configured for CUG subscription.

Table 4 CUG Values Sent for Line-Initiated Calls When the Line and Interface Are Configured for CUG Subscription

User Command	Result
pad 1234	Call 1234, CUG 5599 sent on Serial 1.
pad 1221	Call 1221, CUG 5599 sent on Serial 1.
pad 1222	Call 1222, CUG 5599 sent on Serial 1.
pad 1234 /use-map	Call 1234, CUG 5510 send on Serial 1.
pad 1221 /use-map	Call is cleared, outgoing calls are barred
pad 1222 /use-map	Call 1222, CUG 5599 sent on Serial 1

Benefits

Before the introduction of this feature, CUG functionality required all CPE devices to be attached to the router at an X.25 synchronous DCE interface. The Terminal Line Security for PAD Connections feature extends the existing X.25 CUG functionality to terminal lines, allowing PAD access devices (console lines, auxiliary lines, and tty and vty devices) to be configured for CUG security enforcement.

How to Configure Terminal Line Security for PAD Connections

• Configuring X.25 CUG Support on Terminal Lines
• Verifying X.25 CUG Support on Terminal Lines
• Monitoring and Maintaining X.25 CUG Support on Terminal Lines

Configuring X.25 CUG Support on Terminal Lines

To configure X.25 CUG support on terminal lines, use the following commands beginning in global configuration mode:

SUMMARY STEPS

1.    Router(config)# line [aux | console | tty | vty] line-number [ending-line-number]

2.    Router(config-line)# x25 subscribe cug-service [incoming-access | outgoing-access]

3.    Router(config-line)# x25 subscribe local-cug number network-cug number [no-incoming | no-outgoing | preferential

DETAILED STEPS

	Command or Action	Purpose
Step 1	Router(config)# line [aux | console | tty | vty] line-number [ending-line-number]	Identifies a specific line or range of lines for configuration and enters line configuration mode.
Step 2	Router(config-line)# x25 subscribe cug-service [incoming-access | outgoing-access]	Enables and controls standard CUG behavior. CUG protection will be applied to PAD calls destined for and originated on the line. Note    The CUG selection facility suppression option is not available for terminal lines because incoming PAD calls are terminated by the line.
Step 3	Router(config-line)# x25 subscribe local-cug number network-cug number [no-incoming | no-outgoing | preferential	Configures subscription to a specific CUG and maps the desired local CUG number to its corresponding network CUG. This command can be entered as many times as needed to configure the access needs of a line.

Verifying X.25 CUG Support on Terminal Lines

To verify support for X.25 CUG service on terminal lines, perform the following steps:

SUMMARY STEPS

1.    Enter the show running-config command to verify that the configuration is correct.

2.    Enter the show line command to display the configured CUG capability in the Capabilities field:

3.    Enter the show x25 cug command with the local-cug keyword to display information about all local CUGs configured on the router:

4.    Enter the show x25 cug command with the network-cug keyword to display information about all network CUGs configured on the router. The following sample output displays the local CUGs associated with network CUG 10:

DETAILED STEPS

---

Step 1	Enter the show running-config command to verify that the configuration is correct.
Step 2	Enter the show line command to display the configured CUG capability in the Capabilities field: Example: Router# show line vty 2 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 132 VTY - - - - - 0 0 0/0 - Line 132, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600 Status: No Exit Banner Capabilities: CUG Security Enabled Modem state: Idle Group codes: 0 Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch 00:10:00 never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set Modem type is unknown. Session limit is not set. . . .
Step 3	Enter the show x25 cug command with the local-cug keyword to display information about all local CUGs configured on the router: Example: Router# show x25 cug local-cug X.25 Serial1/1, 3 CUGs subscribed with no public access local-cug 99 <-> network-cug 9999, no-incoming, preferential local-cug 100 <-> network-cug 1000 local-cug 101 <-> network-cug 1001 PROFILE cugs, 2 CUGs subscribed with with incoming public access local-cug 1 <-> network-cug 10, no-outgoing local-cug 2 <-> network-cug 20, no-incoming, preferential Line: 129 aux 0 , 1 CUGs subscribed with outgoing public access local-cug 1 <-> network-cug 10 Line: 130 vty 0 , 4 CUGs subscribed with incoming and outgoing public access local-cug 1 <-> network-cug 10 local-cug 50 <-> network-cug 5, preferential local-cug 60 <-> network-cug 6, no-incoming local-cug 70 <-> network-cug 7, no-outgoing Line: 131 vty 1 , 1 CUGs subscribed with no public access local-cug 1 <-> network-cug 10
Step 4	Enter the show x25 cug command with the network-cug keyword to display information about all network CUGs configured on the router. The following sample output displays the local CUGs associated with network CUG 10: Example: Router# show x25 cug network-cug 10 PROFILE cugs, 2 CUGs subscribed with no public access network-cug 10 <-> local-cug 1 , no-outgoing Line: 129 aux 0 , 1 CUGs subscribed with no public access network-cug 10 <-> local-cug 1 Line: 130 vty 0 , 4 CUGs subscribed with incoming and outgoing public access network-cug 10 <-> local-cug 1 Line: 131 vty 1 , 1 CUGs subscribed with no public access network-cug 10 <-> local-cug 1

---

Monitoring and Maintaining X.25 CUG Support on Terminal Lines

To monitor and maintain X.25 CUG support on terminal lines, use the following command in privileged EXEC mode:

Command	Purpose
Router# debug pad	Displays debug messages for all PAD connections.

Configuration Examples for Terminal Line Security for PAD Connections

• Configuring X.25 CUG Support on Terminal Lines Example

Configuring X.25 CUG Support on Terminal Lines Example

The following example shows the configuration of CUG behavior on asynchronous line 1 and virtual terminal lines 0 to 9. The user of async line 1 has only outgoing access to CPE that is subscribed to the corporate CUG designated for finance (CUG 1101) but can receive calls from those same CUG members or from the open network (that is, calls from a network X.25-class service that are destined for the line and have no CUG restriction).

The users of virtual terminal lines 0 to 9 have access only within the corporate CUGs designated for engineering (CUGs 1102 or 1103). Any call from a network X.25-class service destined for the line will be refused unless the inbound POP validates it as a member of one of those two CUGs.

Line 1
 Location Company A. Finance Connection
 x25 subscribe cug-service incoming-access
 x25 subscribe local-cug 1 network-cug 1101 preferential
!
line vty 0 9
 Location Company A. Engineering Access
 x25 subscribe cug-service
 x25 subscribe local-cug 2 network-cug 1102 preferential
 x25 subscribe local-cug 3 network-cug 1103
!

Additional References

Related Documents

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Commands List, All Releases
Wide-Area Networking commands	Cisco IOS Wide-Area Networking Command Reference
X.25 and LAPB configuration	Configuring X.25 and LAPB
PAD Connections	Configuring the Cisco PAD Facility for X.25 Connections Cisco IOS Terminal Services Command Reference

Standards

Standard	Title
None	--

MIBs

MIB	MIBs Link
None	To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http:/​/​www.cisco.com/​go/​mibs

RFCs

RFC	Title
None	--

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

Feature Information for Terminal Line Security for PAD Connections

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 5 Feature Information for Terminal Line Security for PAD Connections

Feature Name	Releases	Feature Information
Terminal Line Security for PAD Connections	12.2(13)T	The Terminal Line Security for PAD Connections feature allows a CUG service to be configured on terminal lines, enabling terminal lines to participate in X.25 CUG security for packet assembler/disassembler (PAD) connections. The following commands were introduced or modified: debug pad, show line, show x25 cug, x25 subscribe cug-service, x25 subscribe local-cug.

Glossary

call request --An X.25 call packet sent from a DTE to a DCE that initiates a connection to a destination DTE.

closed user group selection facility --A specific encoding element that can be presented in a call request or incoming call. A CUG selection facility in a call request allows the source DTE to identify the CUG within which it is placing the call. A CUG selection facility in an incoming call allows the destination DTE to identify the CUG to which both DTEs belong.

CPE --customer premises equipment. Terminating equipment, such as terminals, telephones, and modems, supplied by the telephone company, installed at customer sites, and connected to the telephone company network. This equipment is available for customer modification and is considered insecure by the network.

CUG --closed user group. A collection of DTE devices for which the network controls access among members and between members and nonmembers. A DTE may subscribe to zero, one, or more CUGs. A DTE that does not subscribe to a CUG is referred to as being in the open part of the network.

DCE --data communications equipment. A network connection where a subscriber can be attached. A DCE is configured with the operational details for which a given subscriber (DTE) has contracted.

DTE --data terminal equipment. A network subscriber that can be reached at a specific network attachment point. A network identifies each DTE device by assigning an X.121 address.

incoming call --An X.25 call packet sent from a DCE to a DTE that presents a connection requested by the source DTE.

PAD --packet assembler/disassembler. Device used to connect simple devices (like character-mode terminals) that do not support the full functionality of a particular protocol to a network. PADs buffer data and assemble and disassemble packets sent to such end devices.

POP --point of presence. In the context of a public data network, a POP is the part of the network to which CPE is attached. A POP is configured and controlled by the public network and serves as the boundary equipment between the trusted network and insecure client attachments.

preferential closed user group --The CUG that is assumed when a CUG is not specified in call setup. A DTE that subscribes to more than one CUG and does not have incoming or outgoing access must designate a preferred CUG.