Eap Behavior In An L2Tp Environment - Juniper JUNOSE SOFTWARE 11.0.X - LINK LAYER CONFIGURATION GUIDE 4-1-2010 Configuration Manual

governed by nonconfigurable values for retransmission attempts and interval. The
configuration of the RADIUS client determines retransmission values for response
packets to the RADIUS server. The retransmission values are as follows:
PPP makes five attempts to retransmit an EAP request before the authentication
attempt is terminated. You cannot configure the number of retransmission
attempts.
When an EAP request is transmitted, a timer is started with a nonconfigurable
retransmission interval value of 3 seconds. When the timer expires, the EAP
request is retransmitted.
In some cases, you might want a longer retransmission interval. For example, you
might need to accommodate the additional time required by a user to enter
information or scan a fingerprint or retina. RADIUS can instruct the JUNOSe software
to wait longer by passing an appropriate Session-Timeout attribute in the RADIUS
Access-Challenge packet. This retransmission interval value applies only to the EAP
request packet present in the RADIUS Access-Challenge packet.
The Session-Timeout attribute value overrides the default retransmission interval
value, up to a maximum of 30 seconds. If RADIUS recommends a greater value, then
PPP resets it back to 30 seconds in order to avoid longer or infinite delays.

EAP Behavior in an L2TP Environment

EAP behavior in an L2TP environment varies depending on whether the router acts
as a LAC or an LNS,
When the E Series Router Acts as a LAC
When PPP forwards an EAP identity response packet to AAA, AAA might be configured
to return a tunnel response upon successful validation of the packet. You can use
AAA domain maps, a AAA profile, or both to force such tunneling.
On an LAC, PPP forwards the PPP EAP authentication information to the LNS during
the establishment of the L2TP session. This authentication information consists of
the EAP type, the data appropriate to the type (such as a username) contained in the
EAP identity response packet, and the identifier of the EAP identity response packet.
If the LNS trusts the LAC, then the LNS uses this authentication information to resume
the EAP negotiation where the LAC left off.
L2TP on an LAC forwards the PPP EAP authentication information in the Proxy
Authen AVPs as described in L2TP Proxy Authenticate Extensions for
EAP draft-ietf-l2tpext-proxy-authen-ext-eap-01.txt (December 2006 expiration).
When the E Series Router Acts as an LNS
PPP on an LNS resumes the EAP negotiation operation by detecting the presence of
EAP information in the proxy authentication data supplied by L2TP. PPP reconstructs
the EAP identity response packet from the proxy authentication data and forwards
it to AAA.
Chapter 7: Configuring Point-to-Point Protocol
Overview
233