Configuring Aaa Authentication Of Vpn Users On Lns Side - H3C SR6600 Configuration Manual

Layer 2 – wan configuration

Hide thumbs Also See for SR6600:

Command reference manual (265 pages)

Fundamentals configuration manual (184 pages)

Configuration manual (143 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

Table of Contents

Some PPP clients may not support re-authentication, in which case LNS side CHAP

authentication will fail.

Configuring LCP re-negotiation

In an NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP

session. If the negotiation succeeds, the NAS initiates an L2TP tunneling request and

sends the user information to the LNS. The LNS then determines whether the user is valid

according to the proxy authentication information received.

Under some circumstances (when there is a need to perform authentication and accounting

on the LNS, for example), a new round of Link Control Protocol (LCP) negotiation is

required between the LNS and the user, and the LNS authenticates the user by using the

authentication method configured on the corresponding virtual template interface.

If you enable LCP re-negotiation but configure no authentication for the corresponding

virtual interface template, the LNS does not perform an additional authentication of users.

Instead, the LNS directly allocates addresses from the global address pool to PPP users

authenticated by the LAC.

Follow these steps to specify to perform LCP re-negotiation with users:

To do...

Enter system view

Enter L2TP group view

Specify to perform LCP

re-negotiation with users

Configuring AAA Authentication of VPN Users on LNS Side

You need to configure AAA on the LNS when either of the following is true:

Mandatory CHAP authentication is configured on the LNS

Mandatory LCP re-negotiation authentication is configured on the LNS and the virtual

interface template requires authenticating PPP users.

After you configure AAA on the LNS, the LNS can authenticate the identities (usernames

and passwords) of VPN users for a second time. If a user passes the AAA authentication,

the user can communicate with the LNS. Otherwise, the L2TP session will be removed.

LNS side AAA configurations are similar to those on an LAC. See

Authentication of VPN Users on LAC Side

Use the command...

system-view

l2tp-group group-number

mandatory-lcp

for more information.

4-80

Remarks

—

Required

By default, an LNS does not

perform LCP re-negotiation

with users.

Configuring AAA

Table of Contents

Configuring Aaa Authentication Of Vpn Users On Lns Side - H3C SR6600 Configuration Manual

Configuring AAA Authentication of VPN Users on LNS Side

Troubleshooting

Related Manuals for H3C SR6600

Related Content for H3C SR6600

Table of Contents