H3C Technologies H3C MSR 50 User Manual
Page 402
17
Item Description
Mandatory CHAP
Configure user authentication on an LNS.
You can configure an LNS to authenticate a user who has passed
authentication on the LAC to increase security. In this case, an
L2TP tunnel can be set up only when both of the authentications
succeed. An LNS can authenticate users the following ways:
•
Mandatory CHAP authentication—A VPN user who depends
on a NAS to initiate tunneling requests is authenticated twice,
once when accessing the NAS and once on the LNS by using
CHAP.
•
LCP re-negotiation—A PPP user who depends on a NAS to
initiate tunneling requests first performs PPP negotiation with
the NAS. If the negotiation succeeds, the NAS initiates an L2TP
tunneling request and sends the user authentication information
to the LNS. The LNS then determines whether the user is valid
according to the user authentication information received.
Under some circumstances (when authentication and
accounting are required on the LNS for example), another
round of LCP negotiation is required between the LNS and the
user. In this case, the user authentication information from the
NAS will be neglected.
•
Proxy authentication—If neither LCP re-negotiation nor
mandatory CHAP authentication is configured, an LNS
performs proxy authentication of users. In this case, the LAC
sends to the LNS all authentication information from users and
the authentication mode configured on the LAC itself.
IMPORTANT:
•
Among these three authentication methods, LCP re-negotiation
has the highest priority. If both LCP re-negotiation and
mandatory CHAP authentication are configured, the LNS uses
LCP re-negotiation and the PPP authentication method
configured in the L2TP group.
•
With LCP re-negotiation, if no PPP authentication method is
configured in the L2TP group, the LNS will not re-authenticate
users. It will assign public addresses to the PPP users
immediately. In other words, the users are authenticated only
once at the LAC end.
•
Some PPP clients might not support re-authentication, in which
case LNS side CHAP authentication will fail.
•
When the LNS uses proxy authentication and the user
authentication information received from the LAC is valid, if the
authentication method configured in the L2TP group is PAP, the
proxy authentication succeeds and a session can be
established for the user. If the authentication method configured
in the L2TP group is CHAP but that configured on the LAC is
PAP, the proxy authentication fails and no session can be set
up. This is because the level of CHAP authentication, which is
required by the LNS, is higher than that of PAP authentication,
which the LAC provides.
Mandatory LCP