Eap Behavior In An L2Tp Environment; Limitations - Juniper JUNOSE SOFTWARE 11.2.X - LINK LAYER CONFIGURATION GUIDE 7-7-2010 Configuration Manual

Copyright © 2010, Juniper Networks, Inc.
When an EAP request is transmitted, a timer is started with a nonconfigurable
retransmission interval value of 3 seconds. When the timer expires, the EAP request is
retransmitted.
In some cases, you might want a longer retransmission interval. For example, you might
need to accommodate the additional time required by a user to enter information or scan
a fingerprint or retina. RADIUS can instruct the JunosE Software to wait longer by passing
an appropriate Session-Timeout attribute in the RADIUS Access-Challenge packet. This
retransmission interval value applies only to the EAP request packet present in the RADIUS
Access-Challenge packet.
The Session-Timeout attribute value overrides the default retransmission interval value,
up to a maximum of 30 seconds. If RADIUS recommends a greater value, then PPP resets
it back to 30 seconds in order to avoid longer or infinite delays.

EAP Behavior in an L2TP Environment

EAP behavior in an L2TP environment varies depending on whether the router acts as a
LAC or an LNS,
When the E Series Router Acts as a LAC
When PPP forwards an EAP identity response packet to AAA, AAA might be configured
to return a tunnel response upon successful validation of the packet. You can use AAA
domain maps, a AAA profile, or both to force such tunneling.
On an LAC, PPP forwards the PPP EAP authentication information to the LNS during the
establishment of the L2TP session. This authentication information consists of the EAP
type, the data appropriate to the type (such as a username) contained in the EAP identity
response packet, and the identifier of the EAP identity response packet. If the LNS trusts
the LAC, then the LNS uses this authentication information to resume the EAP negotiation
where the LAC left off.
L2TP on an LAC forwards the PPP EAP authentication information in the Proxy Authen
AVPs as described in L2TP Proxy Authenticate Extensions for
EAP—draft-ietf-l2tpext-proxy-authen-ext-eap-01.txt (December 2006 expiration).
When the E Series Router Acts as an LNS
PPP on an LNS resumes the EAP negotiation operation by detecting the presence of EAP
information in the proxy authentication data supplied by L2TP. PPP reconstructs the EAP
identity response packet from the proxy authentication data and forwards it to AAA.
L2TP on an LNS processes the received Proxy Authen AVPs as described in L2TP Proxy
Authenticate Extensions for EAP—draft-ietf-l2tpext-proxy-authen-ext-eap-01.txt
(December 2006 expiration).

Limitations

EAP is subject to internal limits. When the E Series router acts as a pass-through between
the backend authentication server and the peer, EAP packets traverse the controllers
within the router. The size of EAP packets and fragments tends to be larger than the
buffer exchange limit—1450 bytes—between the controllers. This intercontroller buffer
exchange limit is tuned for the optimal system performance and scalability; also, when
Chapter 8: Configuring Point-to-Point Protocol
265