Configuring mandatory chap authentication, Configuring lcp renegotiation – H3C Technologies H3C SecPath F5020 User Manual
Page 44
36
itself. The LNS then checks the user validity according to the received information and the locally
configured authentication method.
•
Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate users who
have passed authentication on the LAC.
•
LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new
round of LCP negotiation with the user.
The three authentication methods have different priorities, where LCP renegotiation has the highest
priority and proxy authentication has the lowest priority. The LNS chooses a method depending on your
configuration:
•
If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP
renegotiation.
•
If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication for
users after proxy authentication succeeds.
•
If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the
LAC for proxy authentication.
Configuring mandatory CHAP authentication
When mandatory CHAP authentication is configured, a user who depends on an LAC to initiate
tunneling requests is authenticated twice: once by the LAC and once on the LNS. Some users might not
support the authentication on the LNS. In this situation, do not enable this feature, because CHAP
authentication on the LNS will fail.
For this feature to take effect, you must also configure CHAP authentication for the PPP user on the VT
interface of the LNS.
To configure mandatory CHAP authentication:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter L2TP group view in LNS
mode.
l2tp-group group-number [ mode
lns ]
N/A
3.
Configure mandatory CHAP
authentication.
mandatory-chap
By default, CHAP authentication is
not performed on an LNS.
This command is effective only on
NAS-initiated L2TP tunnels.
Configuring LCP renegotiation
To establish a NAS-initiated L2TP tunnel, a user first negotiates with the LAC at the start of a PPP session.
If the negotiation succeeds, the LAC initiates an L2TP tunneling request and sends user information to the
LNS. The LNS then determines whether the user is valid according to the proxy authentication
information received.
If you do not expect the LNS to accept LCP negotiation parameters, configure this function to perform a
new round of LCP negotiation between the LNS and the user. In this case, the LNS authenticates the user
by using the authentication method configured on the corresponding VT interface.
If you enable LCP renegotiation but configure no authentication for the corresponding VT interface, the
LNS does not perform an additional authentication for users.
To configure the LNS to perform LCP renegotiation with users: