Configuring user authentication on an lns – H3C Technologies H3C SecPath F1000-E User Manual

259

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter L2TP group view.

l2tp-group group-number N/A

3.

Specify the virtual template
interface for receiving calls, the

tunnel name on the LAC, and
the domain name.

•

If the L2TP group number is 1

(the default):

allow l2tp virtual-template
virtual-template-number

[ remote remote-name ]

[ domain domain-name ]

•

If the L2TP group number is

not 1:

allow l2tp virtual-template

virtual-template-number
remote remote-name

[ domain domain-name ]

Use either command.
By default, an LNS denies all
incoming calls.
If the L2TP group number is 1, you
do not need to specify the LAC

side tunnel name. In L2TP group 1,

the LNS allows the LAC to initiate a
tunneling request by using any

tunnel name.

NOTE:
•

The start l2tp command and the allow l2tp command are mutually exclusive. Configuring one of them
automatically disables the other one.

•

The LAC side tunnel name configured on the LNS must be consistent with the local tunnel name
configured on the LAC.

Configuring user authentication on an LNS

An LNS may be configured to authenticate a user that has passed authentication on the LAC to increase

security. In this case, the user is authenticated twice, once on the LAC and once on the LNS. Only when

the two authentications succeed can an L2TP tunnel be set up. This helps raise security.
An LNS authenticates users by using one of the following methods:

•

Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all

user authentication information from users and the authentication mode configured on the LAC itself.
The LNS then checks the user validity according to the received information and the locally

configured authentication method.

•

Mandatory CHAP authentication—The LNS uses CHAP authentication to re-authenticate users who
have passed authentication on the LAC.

•

LCP re-negotiation—The LNS ignores the LAC proxy authentication information and performs a
new round of LCP negotiation with the user.

The three authentication methods have different priorities, where LCP re-negotiation has the highest
priority and proxy authentication has the lowest priority. Which method the LNS uses depends on your

configuration:

•

If you configure both LCP re-negotiation and mandatory CHAP authentication, the LNS uses LCP
re-negotiation.

•

If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication of
users.

•

If you configure neither LCP re-negotiation nor mandatory CHAP authentication, the LNS uses the
LAC for proxy authentication of users.

1.

Configuring mandatory CHAP authentication: