Configuring an lac, Configuring an lac to transfer avp, Data in hidden mode – H3C Technologies H3C SecPath F1000-E User Manual

255

Configuring an LAC

An LAC is responsible for establishing tunnels with LNSs for users and sends user packets to LNSs through

the tunnels. Before configuring an LAC, enable L2TP and create an L2TP group.

Configuring an LAC to initiate tunneling requests for specified users

An LAC initiates tunneling requests only to specified LNSs for specified users. You can specify the users
to be serviced and the LNSs that will be connected. Users can be specified by their fully qualified name

or the domain name.
To configure the LAC:

Step Command

1.

Enter system view.

system-view

2.

Enter L2TP group view.

l2tp-group group-number

3.

Enable the firewall to initiate tunneling

requests to one or more IP addresses for
one or more specified VPN users.

start l2tp { ip ip-address }&<1-5> { domain domain-name |
fullusername user-name }

NOTE:

Up to five LNSs can be configured. The LAC initiates an L2TP tunneling request to its specified LNSs
consecutively in their configuration order until it receives an acknowledgement from an LNS, which then

becomes the tunnel peer.

Configuring an LAC to transfer AVP data in hidden mode

With L2TP, some parameters are transferred as attribute value pair (AVP) data. To improve security, you

can configure an LAC to transfer AVP data in hidden mode—to encrypt AVP data before transmission.
To configure an LAC to transfer AVP data in hidden mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter L2TP group view.

l2tp-group group-number N/A

3.

Specify that AVP data be

transferred in hidden mode.

tunnel avp-hidden

Optional.
By default, AVP data is transferred
in plain text.

Configuring AAA authentication for VPN users on LAC side

You can configure an LAC to perform AAA authentication for VPN users and initiate a tunneling request

only for qualified users. No tunnel will be established for unqualified users.
The firewall supports both local AAA authentication and remote AAA authentication:

•

For local AAA authentication, create a local user and configure a password for each remote user
on the LAC. The LAC authenticates a remote user by matching the provided username and

password against those configured locally.

•

For remote AAA authentication, configure the username and password of each user on the
RADIUS/HWTACACS server. The LAC sends the remote user’s username and password to the

server to authenticate.