Configuring User Authentication On An Lns - H3C SR6600 Configuration Manual

Layer 2 – wan configuration

Hide thumbs Also See for SR6600:

Command reference manual (265 pages)

Fundamentals configuration manual (184 pages)

Configuration manual (143 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

Table of Contents

Configuring User Authentication on an LNS

An LNS may be configured to authenticate a user that has passed authentication on the

LAC to increase security. In this case, the user is authenticated twice, once on the LAC and

once on the LNS. Only when the two authentications succeed can an L2TP tunnel be set up.

This helps raise security.

An LNS authenticates users by using one the following three methods:

Proxy authentication: The LNS uses the LAC as an authentication proxy. The LAC

sends the LNS all user authentication information from users and the authentication

mode configured on the LAC itself. The LNS then checks the user validity according to

the received information. When the user authentication information passed from the

LAC to the LNS is valid, the proxy authentication succeeds and a session can be

established for the user if the authentication type configured on the virtual template

interface is PAP. If the authentication type configured on the virtual template interface

is CHAP but that configured on the LAC is PAP, the proxy authentication fails and no

session is set up because the CHAP authentication required by the LNS has a higher

security level than the PAP authentication provided by the LAC.

Mandatory

re-authenticate users who have passed authentication on the LAC.

LCP re-negotiation: The LNS ignores the LAC proxy authentication information and

performs a new round of LCP negotiation with the user.

The

three

re-negotiation has the highest priority and proxy authentication has the lowest priority.

Which method the LNS uses depends on your configuration:

If you configure both LCP re-negotiation and mandatory CHAP authentication, the LNS

uses LCP re-negotiation.

If you configure only mandatory CHAP authentication, the LNS performs CHAP

authentication of users.

If you configure neither LCP re-negotiation nor mandatory CHAP authentication, the

LNS uses the LAC for proxy authentication of users.

Configuring mandatory CHAP authentication

With mandatory CHAP authentication configured, a VPN user that depends on a NAS to

initiate tunneling requests is authenticated twice: once by the NAS and once through CHAP

on the LNS.

Follow these steps to configure mandatory CHAP authentication:

To do...

Enter system view

Enter L2TP group view

Configure mandatory CHAP

authentication

CHAP

authentication:

authentication

methods

system-view

l2tp-group group-number

mandatory-chap

The

LNS

above

have

Use the command...

4-79

uses

CHAP

authentication

different

priorities,

Remarks

—

Required

By default, CHAP

authentication is not

performed on an LNS.

where

LCP

Table of Contents

Configuring User Authentication On An Lns - H3C SR6600 Configuration Manual

Configuring User Authentication on an LNS

Troubleshooting

Related Manuals for H3C SR6600

Related Content for H3C SR6600

Table of Contents