Using multiple l2tp system names, Overview of radius attribute-value pairs, Using multiple l2tp system names -38 – Lucent Technologies 6000 User Manual

11-38

MAX 6000/3000 Network Configuration Guide

Setting Up Virtual Private Networks
Configuring L2TP tunnels for dial-in clients

Using multiple L2TP system names

MAX units now support additional tunnel authentication settings to enable more flexible and
secure establishment of Layer 2 Tunneling Protocol (L2TP) and Layer 2 Forwarding (L2F)
tunnels. Previously, constraints caused by L2TP and RADIUS protocol requirements required
that every network access server (NAS) in the network used the same system name for tunnel
authentication, even when the network spanned multiple administrative domains.

With the current software version, each NAS sends a unique system name for tunnel
authentication purposes. The name can be specified on a per-connection or per-server basis. If
RADIUS accounting is enabled, the MAX unit reports the names used for tunnel
authentication in the Stop record.

Note:

Tunnel authentication occurs before a tunnel is established between two end points. It

is negotiated between the MAX unit and a tunnel server and is independent of user
authentication. If tunnel authentication fails, all pending calls associated with the tunnel are
dropped.

For L2TP tunnels, because the LAC can now specify its name on a per-connection basis, you
can configure profiles to create parallel tunnels to the same destination. For example, some
sites use parallel tunnels to separate data streams that are directed to the same LNS but
destined for different networks.

Overview of RADIUS attribute-value pairs

RADIUS provides attribute-value pairs that support multiple L2TP system names. All of these
attribute-value pairs support tag fields, as described in RFC 2868. Each tag value (from 1 to
31) defines an independent tunnel attempt description. The Tunnel-Client-Auth-ID and
Tunnel-Server-Auth-ID attributes can be specified in Access-Response packets and are
generated in Accounting-Request packets. Following are the relevant attributes:

Tunnel-Server-Endpoint (67)

Specifies the IP address or fully
qualified hostname of the LNS, if
you set Tunnel-Type to L2TP, or
PPTP Network Server (PNS), if
you set Tunnel-Type to PPTP.

If a DNS server is available,
you can specify the fully
qualified hostname of the
LNS. Otherwise, specify the IP
address of the LNS in dotted
decimal notation (N.N.N.N,
where N is a number from 0 to
255.) You must set this
attribute to an accessible IP
hostname or address.

Tunnel-Password (69)

Shared secret for authenticating
L2TP tunnels.

Table 11-3.RADIUS attributes for specifying L2TP tunnels (continued)

Attribute

Description

Possible values