H3C Technologies H3C SecPath F1000-E User Manual
Page 272
260
With mandatory CHAP authentication configured, a VPN user that depends on a NAS to initiate
tunneling requests is authenticated twice: once by the NAS and once through CHAP on the LNS.
To configure mandatory CHAP authentication:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter L2TP group view.
l2tp-group group-number N/A
3.
Configure mandatory CHAP
authentication.
mandatory-chap
By default, CHAP authentication is
not performed on an LNS.
NOTE:
Some PPP clients may not support re-authentication, in which case LNS side CHAP authentication will fail.
2.
Configuring LCP re-negotiation:
In an NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session.
If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information
to the LNS. The LNS then determines whether the user is valid according to the proxy
authentication information received.
Under some circumstances, for example, when authentication and accounting are needed on the
LNS, a new round of Link Control Protocol (LCP) negotiation is required between the LNS and the
user, and the LNS authenticates the user by using the authentication method configured on the
corresponding virtual template interface.
If you enable LCP re-negotiation but configure no authentication for the corresponding virtual
template interface, the LNS does not perform an additional authentication of users. Instead, the
LNS directly allocates addresses from the global address pool to PPP users authenticated by the
LAC.
To specify the LNS to perform LCP re-negotiation with users:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter L2TP group view.
l2tp-group group-number N/A
3.
Specify the LNS to perform
LCP re-negotiation with users. mandatory-lcp
By default, an LNS does not perform LCP
re-negotiation with users.
Configuring AAA authentication for VPN users on an LNS
Configure AAA on the LNS in the following cases:
•
Proxy authentication is configured on the LNS
•
Mandatory CHAP authentication is configured on the LNS
•
Mandatory LCP re-negotiation authentication is configured on the LNS and the virtual template
interface requires PPP user authentication.
After you configure AAA on the LNS, the LNS can authenticate the identities (usernames and passwords)
of VPN users for a second time. If a user passes AAA authentication, the user can communicate with the
LNS. Otherwise, the L2TP session will be removed.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS