Specifying To Perform Lcp Negotiation With Users - 3Com MSR 50 Series Configuration Manual

1612 C 82: L2TP C
HAPTER
c
Specifying to perform
LCP Negotiation with
Users
ONFIGURATION
once on the LNS. Only when the two authentications succeed can an L2TP tunnel
be set up.
On an L2TP network, an LNS authenticates users in three ways: proxy
authentication, mandatory CHAP authentication, and LCP negotiation.
If neither LCP re-negotiation nor mandatory CHAP authentication is configured,
an LNS performs proxy authentication of users. In this case, the LAC sends to the
LNS all authentication information from users as well as the authentication mode
configured on the LAC itself.
Among these three authentication methods, LCP re-negotiation has the highest
priority. If both LCP re-negotiation and mandatory CHAP authentication are
configured, an LNS uses LCP re-negotiation and the authentication mode
configured on the corresponding virtual interface template. If only mandatory
CHAP authentication is configured, an LNS will perform CHAP authentication of
users.
Follow these steps to configure mandatory CHAP authentication:
To do...
Enter system view
Enable L2TP
Create an L2TP group
and enter its view
Configure mandatory
CHAP authentication
CAUTION:
When the LNS uses proxy authentication and the authentication method
■
configured on the virtual interface template is PAP, a session can be established
after a user passes authentication.
If the LNS uses proxy authentication and the authentication method configured
■
on the virtual interface template is CHAP but the authentication method on the
LAC is PAP, the authentication will fail and no session can be set up. This is
because the level of the CHAP authentication required by the LNS is higher
than that of the PAP authentication provided by the LAC.
In an NAS-initiated dial-up DVPN, a user first negotiates with the NAS at the start
of a PPP session. If the negotiation succeeds, the NAS initiates an L2TP tunneling
request and sends the user information to the LNS. The LNS then determines
whether the user is valid according to the proxy authentication information
received.
Under some circumstances (for example, when there is a need to perform
authentication and accounting on the LNS), another round of LCP negotiation is
required between the LNS and the user. In this case, the proxy authentication
information from the NAS will be neglected.
Use the command...
system-view
l2tp enable
l2tp-group group-number
mandatory-chap
Remarks
-
Required
Disabled by default
Required
By default, no L2TP group exists.
Required
By default, CHAP authentication is not
performed.