Configuring Aaa Authentication For Vpn Users On An Lns; Enabling L2Tp For Vpns - HPE FlexNetwork MSR Series Comware 5 Layer 2 - Wan Access Configuration Manual
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 security configuration manual (547 pages)
Table of Contents
Advertisement
Step
Configure mandatory CHAP
3.
authentication.
Configuring LCP renegotiation
In a NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session. If
the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information to
the LNS. The LNS then determines whether the user is valid according to the proxy authentication
information received.
Under some circumstances, for example, when authentication and accounting are needed on the
LNS, a new round of LCP negotiation is required between the LNS and the user, and the LNS
authenticates the user by using the authentication method configured on the corresponding VT
interface.
If you enable LCP renegotiation but configure no authentication for the corresponding VT interface,
the LNS does not perform an additional authentication of users. Instead, the LNS directly allocates
addresses from the global address pool to PPP users authenticated by the LAC.
To specify the LNS to perform LCP renegotiation with users:
Step
Enter system view.
1.
Enter L2TP group view.
2.
Specify the LNS to perform
3.
LCP renegotiation with
users.
Configuring AAA authentication for VPN users on an LNS
Configure AAA on the LNS in the following cases:
•
Proxy authentication is configured on the LNS
•
Mandatory CHAP authentication is configured on the LNS
•
Mandatory LCP renegotiation authentication is configured on the LNS and the VT interface
requires PPP user authentication.
After you configure AAA on the LNS, the LNS can authenticate the identities (usernames and
passwords) of VPN users for a second time. If a user passes AAA authentication, the user can
communicate with the LNS. Otherwise, the L2TP session will be removed.
LNS side AAA configurations are similar to those on an LAC (see
VPN users on LAC
Enabling L2TP for VPNs
If multiple enterprises share the same LNS device and use the same name for the tunnel peers (LAC
devices), the LNS device is unable to differentiate which users belong to which enterprises. The
L2TP support for VPNs function can solve this problem. With this function, an LNS can differentiate
multiple VPN domains and service users of different enterprises simultaneously.
In an L2TP VPN application, specify the domain to which VPN users belong by using the domain
keyword in the allow l2tp virtual-template command. After an L2TP tunnel is established, the LNS
obtains the domain name from the session negotiation packet and searches for the same domain
among those locally configured for VPN users. If an L2TP group's tunnel peer name and domain
Command
mandatory-chap
Command
system-view
l2tp-group group-number
mandatory-lcp
side").
266
Remarks
By default, CHAP authentication
is not performed on an LNS.
Remarks
N/A
N/A
By default, an LNS does not
perform LCP renegotiation with
users.
"Configuring AAA authentication for
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?