Configuring User Authentication On An Lns - HPE FlexNetwork MSR series Configuration Manual
Comware 7 layer 2 - wan access
Hide thumbs
Also See for FlexNetwork MSR series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 security configuration manual (547 pages)
Table of Contents
Advertisement
Step
3.
Configure the LNS to accept
tunneling requests from an
LAC
interface to be used for tunnel
setup.
Configuring user authentication on an LNS
An LNS can be configured to authenticate a user that has passed authentication on the LAC to
increase security. In this case, the user is authenticated once on the LAC and once on the LNS. An
L2TP tunnel can be established only when both authentications succeed.
An LNS provides the following authentication methods in ascending order of priority:
•
Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the
LNS all user authentication information from users and the authentication method configured on
the LAC itself. The LNS then checks the user validity according to the received information and
the locally configured authentication method.
•
Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate
users who have passed authentication on the LAC.
•
LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs
a new round of LCP negotiation with the user.
The LNS chooses an authentication method depending on your configuration.
•
If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses
LCP renegotiation.
•
If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication
for users after proxy authentication succeeds.
•
If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses
the LAC for proxy authentication.
Configuring mandatory CHAP authentication
When mandatory CHAP authentication is configured, a user who uses an LAC to initiate tunneling
requests is authenticated by both the LAC and the LNS. Some users might not support the
authentication on the LNS. In this situation, do not enable this feature, because CHAP authentication
on the LNS will fail.
For this feature to take effect, you must also configure CHAP authentication for the PPP user on the
VT interface of the LNS.
To configure mandatory CHAP authentication:
Step
1.
Enter system view.
2.
Enter L2TP group view in
LNS mode.
3.
Configure mandatory CHAP
and
specify
the
VT
Command
•
If the L2TP group number
is
allow
virtual-template
virtual-template-number
[ remote remote-name ]
•
If the L2TP group number
is
not
allow
virtual-template
virtual-template-number
remote remote-name
Command
system-view
l2tp-group group-number [ mode
lns ]
mandatory-chap
80
Remarks
1:
l2tp
By
default,
an
tunneling requests from any LAC.
If the L2TP group number is 1, the
remote remote-name option is
optional. If you do not specify this
1:
option, the LNS accepts tunneling
l2tp
requests from any LAC.
Remarks
N/A
N/A
By default, CHAP authentication
LNS
denies
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR series and is the answer not in the manual?