H3C Technologies H3C SecPath F1000-E User Manual

245

Item Description

Mandatory CHAP

Specify user authentication on the LNS end.
After the LAC authenticates the client, the LNS may re-authenticate

the client for higher security. In this case, only when both the
authentications succeed can an L2TP tunnel be set up. On an L2TP

network, an LNS authenticates users in three ways: mandatory

CHAP authentication, LCP re-negotiation, and proxy
authentication.

•

Mandatory CHAP authentication: With mandatory CHAP

authentication configured, a VPN user that depends on a NAS
to initiate tunneling requests is authenticated twice: once when

accessing the NAS and once on the LNS by using CHAP.

•

LCP re-negotiation: For a PPP user that depends on a NAS to

initiate tunneling requests, the user first performs PPP negotiation

with the NAS. If the negotiation succeeds, the NAS initiates an

L2TP tunneling request and sends the user’s authentication
information to the LNS. The LNS then determines whether the

user is valid according to the user authentication information

received. Under some circumstances (when authentication and

accounting are required on the LNS for example), another
round of Link Control Protocol (LCP) negotiation is required

between the LNS and the user. In this case, the user

authentication information from the NAS will be neglected.

•

Proxy authentication: If neither LCP re-negotiation nor

mandatory CHAP authentication is configured, an LNS

performs proxy authentication of users. In this case, the LAC
sends to the LNS all authentication information from users as

well as the authentication mode configured on the LAC itself.

IMPORTANT:

•

Among these three authentication methods, LCP re-negotiation

has the highest priority. If both LCP re-negotiation and
mandatory CHAP authentication are configured, the LNS uses

LCP re-negotiation and the PPP authentication method

configured in the L2TP group,

•

Some PPP clients may not support re-authentication, in which

case LNS side CHAP authentication will fail.

•

With LCP re-negotiation, if no PPP authentication method is

configured in the L2TP group, the LNS will not re-authenticate

users; it will assign public addresses to the PPP users

immediately. In other words, the users are authenticated only
once at the LAC end.

•

When the LNS uses proxy authentication and the user
authentication information passed from the LAC to the LNS is

valid: if the authentication method configured in the L2TP group

is PAP, the proxy authentication succeeds and a session can be

established for the user; if the authentication method configured
in the L2TP group is CHAP but that configured on the LAC is PAP,

the proxy authentication will fail and no session can be set up.

This is because the level of CHAP authentication, which is
required by the LNS, is higher than that of PAP authentication,

which the LAC provides.

Mandatory LCP