H3C Technologies H3C SecPath F1000-E User Manual
Page 39
6
Figure 8 L2TP call setup procedure
(1) Call setup
(2) PPP LCP setup
(3) PAP or CHAP
authenticaion
(4) Access request
(5) Access accept
(6) Tunnel setup
(7) CHAP authentication
(challenge/response)
(9) User CHAP response,
PPP negotiation parameter
(12) CHAP authentication twice (challenge/response)
(10) Access request
(11) Acesss accept
(13) Access request
(14) Acesss accept
(8) Authentication passes
(15) Authentication passes
LAC
Device A
LNS
Device B
LAC
RADIUS server
LNS
RADIUS server
Remote system
Host A
The setup procedure of an L2TP call is as follows:
1.
A remote user on Host A places a PPP call.
2.
Host A and the LAC (Device A) perform PPP LCP negotiation.
3.
The LAC authenticates the remote user using the Password Authentication Protocol (PAP) or
Challenge Handshake Authentication Protocol (CHAP).
4.
The LAC sends the authentication information (the username and password) to its RADIUS server
for authentication.
5.
The LAC RADIUS server authenticates the user.
6.
If the user passes authentication, the LAC initiates a tunneling request to the LNS.
7.
If tunnel authentication is required, the LAC sends a CHAP challenge to the LNS. The LNS returns
a CHAP response and sends its CHAP challenge to the LAC. Accordingly, the LAC returns a CHAP
response to the LNS.
8.
The tunnel passes authentication.
9.
The LAC sends the CHAP response, response identifier, and PPP negotiation parameters of the user
to the LNS.
10.
The LNS sends an access request to its RADIUS server for authentication.
11.
The RADIUS server authenticates the access request and returns a response if the user passes
authentication.
12.
If the LNS is configured to perform a mandatory CHAP authentication for the user, the LNS sends
a CHAP challenge to the user and the user returns a CHAP response.
13.
The LNS resends the access request to its RADIUS server for authentication.