Table of Contents
Advertisement
•
On the LAC, you can specify the password with the Tunnel-Password attribute in the RADIUS
user profile for the connection initiating the session, or you can configure the password in a
Names/Passwords profile. If you create a Names/Passwords profile, the value of the Ethernet >
Names/Passwords > Name parameter must match the value of the System > Sys Config >
Name parameter on the LNS.
Conversely, you can configure the LAC and LNS to not require tunnel authentication.
Client authentication
Either the LAC, the LNS, or both, can perform PAP or CHAP authentication of clients for
which they create tunnels. If you configure the MAX to create tunnels on a per-line basis, only
the LNS can perform authentication, because the MAX automatically builds a tunnel to the
LNS for any call it receives on that line.
If you use RADIUS to configure L2TP on a per-user basis, and you specify the
Client-Port-DNIS attribute, the LAC does not perform PAP or CHAP authentication. If you
specify Client-Port-DNIS, the tunnel is created as soon as the LAC receives a DNIS number
that matches a Client-Port-DNIS for any user profile. You can configure the LNS to perform
PAP or CHAP authentication after the LAC and LNS establish the tunnel.
If you use RADIUS to configure L2TP, but do not specify the Client-Port-DNIS attribute, the
LAC performs PAP or CHAP authentication before the tunnel is established. Once the tunnel is
up, the LNS can perform authentication again on the client. Each client sends the same
username and password during the authentication phase, so for each client, make sure you
configure the LAC and LNS to look for the same usernames and passwords.
You can also direct the MAX to create an L2TP tunnel, from the terminal server, by using the
L2TP command. You can configure authentication on the LNS, requiring users to authenticate
themselves when they manually initiate L2TP tunnels from the terminal server.
Flow control
The LAC and LNS automatically use a flow control mechanism that is designed to reduce
network congestion. You do not need to configure the mechanism.
You can, however, configure the maximum number of unacknowledged packets that the LAC
or LNS receives before it requests that the sending device stop sending data. You can configure
the LAC or LNS to receive up to 63 unacknowledged packets before refusing new data, or you
can disable flow control completely.
Configuration of the MAX as an LAC
The LAC is responsible for requesting L2TP tunnels to the LNS. You configure the LAC to
determine when a dial-in connection should be tunneled, and you can specify the LNS used for
the connection.
MAX 6000/3000 Network Configuration Guide
The value of the Ethernet > Names/Passwords > Recv PW parameter matches the
password configured on the LAC.
Setting Up Virtual Private Networks
Configuring L2TP tunnels for dial-in clients
10-33
Advertisement
Chapters
Table of Contents
