Configuring User Authentication on an LNS
An LNS may be configured to authenticate a user that has passed authentication on the
LAC to increase security. In this case, the user is authenticated twice, once on the LAC and
once on the LNS. Only when the two authentications succeed can an L2TP tunnel be set up.
This helps raise security.
An LNS authenticates users by using one the following three methods:
Proxy authentication: The LNS uses the LAC as an authentication proxy. The LAC
sends the LNS all user authentication information from users and the authentication
mode configured on the LAC itself. The LNS then checks the user validity according to
the received information. When the user authentication information passed from the
LAC to the LNS is valid, the proxy authentication succeeds and a session can be
established for the user if the authentication type configured on the virtual template
interface is PAP. If the authentication type configured on the virtual template interface
is CHAP but that configured on the LAC is PAP, the proxy authentication fails and no
session is set up because the CHAP authentication required by the LNS has a higher
security level than the PAP authentication provided by the LAC.
Mandatory
re-authenticate users who have passed authentication on the LAC.
LCP re-negotiation: The LNS ignores the LAC proxy authentication information and
performs a new round of LCP negotiation with the user.
The
three
re-negotiation has the highest priority and proxy authentication has the lowest priority.
Which method the LNS uses depends on your configuration:
If you configure both LCP re-negotiation and mandatory CHAP authentication, the LNS
uses LCP re-negotiation.
If you configure only mandatory CHAP authentication, the LNS performs CHAP
authentication of users.
If you configure neither LCP re-negotiation nor mandatory CHAP authentication, the
LNS uses the LAC for proxy authentication of users.
Configuring mandatory CHAP authentication
With mandatory CHAP authentication configured, a VPN user that depends on a NAS to
initiate tunneling requests is authenticated twice: once by the NAS and once through CHAP
on the LNS.
Follow these steps to configure mandatory CHAP authentication:
To do...
Enter system view
Enter L2TP group view
Configure mandatory CHAP
authentication
CHAP
authentication:
authentication
methods
system-view
l2tp-group group-number
mandatory-chap
The
LNS
above
have
Use the command...
4-79
uses
CHAP
authentication
different
priorities,
Remarks
—
—
Required
By default, CHAP
authentication is not
performed on an LNS.
to
where
LCP