H3C Technologies H3C SecPath F1000-E User Manual

Page 272

Advertising
background image

260

With mandatory CHAP authentication configured, a VPN user that depends on a NAS to initiate

tunneling requests is authenticated twice: once by the NAS and once through CHAP on the LNS.

To configure mandatory CHAP authentication:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter L2TP group view.

l2tp-group group-number N/A

3.

Configure mandatory CHAP

authentication.

mandatory-chap

By default, CHAP authentication is
not performed on an LNS.

NOTE:

Some PPP clients may not support re-authentication, in which case LNS side CHAP authentication will fail.

2.

Configuring LCP re-negotiation:
In an NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session.
If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information

to the LNS. The LNS then determines whether the user is valid according to the proxy

authentication information received.
Under some circumstances, for example, when authentication and accounting are needed on the
LNS, a new round of Link Control Protocol (LCP) negotiation is required between the LNS and the

user, and the LNS authenticates the user by using the authentication method configured on the
corresponding virtual template interface.
If you enable LCP re-negotiation but configure no authentication for the corresponding virtual
template interface, the LNS does not perform an additional authentication of users. Instead, the

LNS directly allocates addresses from the global address pool to PPP users authenticated by the

LAC.

To specify the LNS to perform LCP re-negotiation with users:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter L2TP group view.

l2tp-group group-number N/A

3.

Specify the LNS to perform

LCP re-negotiation with users. mandatory-lcp

By default, an LNS does not perform LCP
re-negotiation with users.

Configuring AAA authentication for VPN users on an LNS

Configure AAA on the LNS in the following cases:

Proxy authentication is configured on the LNS

Mandatory CHAP authentication is configured on the LNS

Mandatory LCP re-negotiation authentication is configured on the LNS and the virtual template
interface requires PPP user authentication.

After you configure AAA on the LNS, the LNS can authenticate the identities (usernames and passwords)
of VPN users for a second time. If a user passes AAA authentication, the user can communicate with the

LNS. Otherwise, the L2TP session will be removed.

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals