257
4. The LAC sends the authentication information (the username and password) to its RADIUS
server for authentication.
5. The LAC RADIUS server authenticates the user.
6. If the user passes authentication, the LAC initiates a tunneling request to the LNS.
7. If tunnel authentication is required, the LAC sends a CHAP challenge to the LNS. The LNS
returns a CHAP response and sends its CHAP challenge to the LAC. Accordingly, the LAC
returns a CHAP response to the LNS.
8. The tunnel passes authentication.
9. The LAC sends the CHAP response, response identifier, and PPP negotiation parameters of
the user to the LNS.
10. The LNS sends an access request to its RADIUS server for authentication.
11. The RADIUS server authenticates the access request and returns a response if the user
passes authentication.
12. If the LNS is configured to perform a mandatory CHAP authentication for the user, the LNS
sends a CHAP challenge to the user and the user returns a CHAP response.
13. The LNS resends the access request to its RADIUS server for authentication.
14. The RADIUS server authenticates the access request and returns a response if the user
passes authentication.
15. The LNS assigns an internal IP address to the remote user. The user can now access the
internal resources of the enterprise network.
L2TP features
• Flexible identity authentication mechanism and high security—L2TP by itself does not
provide security for connections. However, it has all the security features of PPP and allows for
PPP authentication (CHAP or PAP). L2TP can also cooperate with IPsec to guarantee data
security, strengthening the resistance of tunneled data to attacks. Tunnel encryption,
end-to-end data encryption, and end-to-end application-layer data encryption technologies can
be used together with L2TP for higher data security as required.
• Multiprotocol transmission—L2TP tunnels PPP frames, which can be used to encapsulate
packets of multiple network layer protocols.
• RADIUS authentication—An LAC and LNS can send the username and password of a remote
user to a RADIUS server for authentication.
• Private address allocation—An LNS can reside behind the firewall of a corporate network and
dynamically allocates private addresses to remote users, facilitating corporate private address
management (RFC 1918) and improving the security.
• Accounting flexibility—Accounting can be simultaneously carried out on the LAC and LNS,
allowing bills to be generated on the ISP side and charging and auditing to be processed on the
enterprise gateway. The L2TP can provide accounting data, such as inbound and outbound
traffic statistics (in packets and bytes) and the connection's start time and end time. These
features enable flexible accounting.
• Reliability—L2TP supports LNS backup. When the connection to the primary LNS is torn down,
an LAC can establish a new one to a secondary LNS. This redundancy enhances the reliability
and fault tolerance of VPN services.
L2TP-based EAD
When EAD is used, a PPP user that has passed access authentication must also pass security
authentication on the EAD server before accessing network resources. If the security authentication
fails, the user can access only the resources in the quarantined area.
This function is implemented in the following procedure:
To Next Page
Loading...
Need help?
General
