H3C Technologies H3C SecPath F1000-E User Manual

12

Item Description

Mandatory LCP

After the LAC authenticates the client, the LNS may re-authenticate
the client for higher security. In this case, only when both the

authentications succeed can an L2TP tunnel be set up. On an L2TP

network, an LNS authenticates users in three ways: mandatory
CHAP authentication, LCP re-negotiation, and proxy

authentication.

•

Mandatory CHAP authentication: With mandatory CHAP
authentication configured, a VPN user that depends on a NAS

to initiate tunneling requests is authenticated twice: once when

accessing the NAS and once on the LNS by using CHAP.

•

LCP re-negotiation: For a PPP user that depends on a NAS to
initiate tunneling requests, the user first performs PPP

negotiation with the NAS. If the negotiation succeeds, the NAS

initiates an L2TP tunneling request and sends the user’s

authentication information to the LNS. The LNS then determines
whether the user is valid according to the user authentication

information received. Under some circumstances (when

authentication and accounting are required on the LNS for

example), another round of Link Control Protocol (LCP)
negotiation is required between the LNS and the user. In this

case, the user authentication information from the NAS will be

neglected.

•

Proxy authentication: If neither LCP re-negotiation nor
mandatory CHAP authentication is configured, an LNS

performs proxy authentication of users. In this case, the LAC

sends to the LNS all authentication information from users as

well as the authentication mode configured on the LAC itself.

IMPORTANT:

z

Among these three authentication methods, LCP
re-negotiation has the highest priority. If both LCP
re-negotiation and mandatory CHAP authentication are
configured, the LNS uses LCP re-negotiation and the PPP
authentication method configured in the L2TP group,

z

Some PPP clients may not support re-authentication, in
which case LNS side CHAP authentication will fail.

z

With LCP re-negotiation, if no PPP authentication method is
configured in the L2TP group, the LNS will not
re-authenticate users; it will assign public addresses to the
PPP users immediately. In other words, the users are
authenticated only once at the LAC end.

z

When the LNS uses proxy authentication and the user
authentication information passed from the LAC to the LNS
is valid: if the authentication method configured in the L2TP
group is PAP, the proxy authentication succeeds and a
session can be established for the user; if the authentication
method configured in the L2TP group is CHAP but that
configured on the LAC is PAP, the proxy authentication will
fail and no session can be set up. This is because the level of
CHAP authentication, which is required by the LNS, is higher
than that of PAP authentication, which the LAC provides.