Configuring transferring avp data in hidden mode, Configuring aaa authentication on an lac, Tunnel – H3C Technologies H3C SecPath F5020 User Manual
Page 41
33
Configuring transferring AVP data in hidden mode
L2TP uses Attribute Value Pairs (AVPs) to transmit tunnel negotiation parameters, session negotiation
parameters, and user authentication information. Transferring AVP data in hidden mode can hide
sensitive AVP data such as user passwords. With this feature enabled, AVP data is encrypted before
transmission with the key configured by using the tunnel password command.
This configuration takes effect only when the tunnel authentication function is enabled. For more
information about configuring tunnel authentication, see "
Configuring L2TP tunnel authentication
To configure transferring AVP data in hidden mode:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter L2TP group view in LAC
mode.
l2tp-group group-number [ mode
lac ]
N/A
3.
Specify that AVP data be
transferred in hidden mode.
tunnel avp-hidden
By default, AVP data is transferred
in plain text.
Configuring AAA authentication on an LAC
You can configure an LAC to authenticate the identities (usernames and passwords) of remote dialup
users by using AAA authentication and initiate a tunneling request only for qualified users. No tunnel will
be established for unqualified users.
The device supports both local AAA authentication and remote AAA authentication:
•
For local AAA authentication, create a local user and configure a password for each remote user
on the LAC. The LAC authenticates a remote user by matching the provided username and
password against those configured locally.
•
For remote AAA authentication, configure the username and password of each user on the
RADIUS/HWTACACS server. The LAC sends the remote user's username and password to the
server to be authenticated.
For more information about configuring AAA authentication, see Security Configuration Guide.
To enable AAA authentication on an LAC, you also need to configure the authentication type of PPP users
as PAP or CHAP on the user access interfaces. For information about configuring PAP or CHAP, see
"
and MP."
Configuring an LAC to automatically establish an L2TP tunnel
To configure an LAC to automatically establish an L2TP tunnel, perform the following tasks:
•
Create a virtual PPP interface and configure an IP address for the interface.
•
In virtual PPP interface view, configure the side authenticated by PPP. Use the ppp pap command or
the ppp chap command to specify the PPP authentication method supported by the PPP user and the
username and password of the PPP user. The LNS authenticates the PPP user. For more information,
see "
and MP."
•
Trigger the LAC to automatically establish an L2TP tunnel.