H3C Technologies H3C SecPath F1000-E User Manual
Page 257
245
Item Description
Mandatory CHAP
Specify user authentication on the LNS end.
After the LAC authenticates the client, the LNS may re-authenticate
the client for higher security. In this case, only when both the
authentications succeed can an L2TP tunnel be set up. On an L2TP
network, an LNS authenticates users in three ways: mandatory
CHAP authentication, LCP re-negotiation, and proxy
authentication.
•
Mandatory CHAP authentication: With mandatory CHAP
authentication configured, a VPN user that depends on a NAS
to initiate tunneling requests is authenticated twice: once when
accessing the NAS and once on the LNS by using CHAP.
•
LCP re-negotiation: For a PPP user that depends on a NAS to
initiate tunneling requests, the user first performs PPP negotiation
with the NAS. If the negotiation succeeds, the NAS initiates an
L2TP tunneling request and sends the user’s authentication
information to the LNS. The LNS then determines whether the
user is valid according to the user authentication information
received. Under some circumstances (when authentication and
accounting are required on the LNS for example), another
round of Link Control Protocol (LCP) negotiation is required
between the LNS and the user. In this case, the user
authentication information from the NAS will be neglected.
•
Proxy authentication: If neither LCP re-negotiation nor
mandatory CHAP authentication is configured, an LNS
performs proxy authentication of users. In this case, the LAC
sends to the LNS all authentication information from users as
well as the authentication mode configured on the LAC itself.
IMPORTANT:
•
Among these three authentication methods, LCP re-negotiation
has the highest priority. If both LCP re-negotiation and
mandatory CHAP authentication are configured, the LNS uses
LCP re-negotiation and the PPP authentication method
configured in the L2TP group,
•
Some PPP clients may not support re-authentication, in which
case LNS side CHAP authentication will fail.
•
With LCP re-negotiation, if no PPP authentication method is
configured in the L2TP group, the LNS will not re-authenticate
users; it will assign public addresses to the PPP users
immediately. In other words, the users are authenticated only
once at the LAC end.
•
When the LNS uses proxy authentication and the user
authentication information passed from the LAC to the LNS is
valid: if the authentication method configured in the L2TP group
is PAP, the proxy authentication succeeds and a session can be
established for the user; if the authentication method configured
in the L2TP group is CHAP but that configured on the LAC is PAP,
the proxy authentication will fail and no session can be set up.
This is because the level of CHAP authentication, which is
required by the LNS, is higher than that of PAP authentication,
which the LAC provides.
Mandatory LCP
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS