SMC Networks ELITECONNECT SMC2502W User Manual page 49

The WLAN Access Manager configuration of PPTP and L2TP is relatively simple.
First, you either enable or disable PPTP and L2TP. Then, you configure IP address
assignment.
Since PPTP and L2TP were originally designed as remote access protocols, used by
traveling clients to access their home network, the PPTP and L2TP protocol assigns
an IP address to the client computer. But in a WLAN Secure Server environment,
a client usually obtains an IP address before enabling PPTP and L2TP encryption.
This results in two IP addresses: an initial one that describes the PPTP or L2TP
tunnel, and one that describes the actual IP address used by the client.
The WLAN Access Manager can be configured in one of two ways to assign this
inner-tunnel address: it can either assign an address from a range of addresses pre-
specified by the network administrator, or it can request an external DHCP server
to assign an address.
In addition to configuring the WLAN Access Manager, you must also configure the
location in the Rights Manager in order to use PPTP and L2TP. When you configure
a location to use PPTP or L2TP, you must decide how to do PPTP and L2TP user
authentication. For PPTP only, you must specify the strength of MPPE (RC4)
encryption to use.
Note:
Configuring a location to use PPTP and L2TP encryption has a non-obvious effect on
how IP addresses are assigned at that location. Normally, an WLAN Access Manager
provides an IP address for clients with NAT mode enabled and for non-NAT clients,
passes any DHCP requests to an external DHCP server. When you configure a location
to use PPTP or L2TP encryption, you actually get two IP addresses: one is the IP address
of the tunnel that encapsulates all data packets; the other is the IP address of the client.
If a location is going to use PPTP encryption, this outer tunnel address must be assigned
by the WLAN Access Manager. The inner tunnel IP address can then be selected to be
assigned by the WLAN Access Manager or an external DHCP server. For more
information, see
There are three ways to perform PPTP and L2TP user authentication at a location.
You can do the authentication through a RADIUS authentication server; you can
use the Rights Manager's built-in username and password database, or you can
use a shared secret.
Caution: Using a shared secret is inherently insecure and should not be used if at all possible. It is
provided as a convenience for sites who cannot or choose not to use RADIUS or the
built-in server.
If you choose to use RADIUS or built-in authentication, the WLAN Secure Server
uses the PPTP/L2TP authentication both to authenticate the PPTP and L2TP
connection with a shared secret and to authenticate the user to the WLAN Security
System.
VPN Security (Airwave Security)
Figure 3-1
.
3-5