Configuring mandatory chap authentication, Configuring lcp re-negotiation – H3C Technologies H3C SecPath F1000-E User Manual
Page 47
14
virtual template interface is PAP. If the authentication type configured on the virtual template
interface is CHAP but that configured on the LAC is PAP, the proxy authentication fails and no
session is set up because the CHAP authentication required by the LNS has a higher security level
than the PAP authentication provided by the LAC.
•
Mandatory CHAP authentication: The LNS uses CHAP authentication to re-authenticate users who
have passed authentication on the LAC.
•
LCP re-negotiation: The LNS ignores the LAC proxy authentication information and performs a new
round of LCP negotiation with the user.
The three authentication methods above have different priorities, where LCP re-negotiation has the
highest priority and proxy authentication has the lowest priority. Which method the LNS uses depends on
your configuration:
•
If you configure both LCP re-negotiation and mandatory CHAP authentication, the LNS uses LCP
re-negotiation.
•
If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication of
users.
•
If you configure neither LCP re-negotiation nor mandatory CHAP authentication, the LNS uses the
LAC for proxy authentication of users.
Configuring mandatory CHAP authentication
With mandatory CHAP authentication configured, a VPN user that depends on a NAS to initiate
tunneling requests is authenticated twice: once by the NAS and once through CHAP on the LNS.
Follow these steps to configure mandatory CHAP authentication:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter L2TP group view
l2tp-group group-number
—
Configure mandatory CHAP
authentication
mandatory-chap
Required
By default, CHAP authentication is
not performed on an LNS.
NOTE:
Some PPP clients may not support re-authentication, in which case LNS side CHAP authentication will fail.
Configuring LCP re-negotiation
In an NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session. If the
negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information to the LNS.
The LNS then determines whether the user is valid according to the proxy authentication information
received.
Under some circumstances, for example, when there is a need to perform authentication and accounting
on the LNS, a new round of Link Control Protocol (LCP) negotiation is required between the LNS and the
user, and the LNS authenticates the user by using the authentication method configured on the
corresponding virtual template interface.
If you enable LCP re-negotiation but configure no authentication for the corresponding virtual template
interface, the LNS does not perform an additional authentication of users. Instead, the LNS directly
allocates addresses from the global address pool to PPP users authenticated by the LAC.
Follow these steps to specify the LNS to perform LCP re-negotiation with users: