265
Step Command Remarks
3. Specify the VT interface for
receiving calls, the tunnel
name on the LAC, and the
domain name.
• If the L2TP group number
is 1 (the default):
allow l2tp
virtual-template
virtual-template-number
[ remote remote-name ]
[ domain domain-name ]
• If the L2TP group number
is not 1:
allow l2tp
virtual-template
virtual-template-number
[ remote remote-name ]
[ domain domain-name ]
Use either command.
By default, an LNS denies all
incoming calls.
If the L2TP group number is 1, do
not specify the LAC side tunnel
name. In L2TP group 1, the LNS
allows the LAC to initiate a
tunneling request by using any
tunnel name.
Configuring user authentication on an LNS
You can configure an LNS to authenticate a user that has passed authentication on the LAC to
increase security. In this case, the user is authenticated twice, once on the LAC and once on the LNS.
Only when the two authentications succeed can an L2TP tunnel be set up. This helps raise security.
An LNS authenticates users by using one of the following methods:
• Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the
LNS all user authentication information from users and the authentication mode configured on
the LAC itself. The LNS then checks the user validity according to the received information and
the locally configured authentication method.
• Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate
users who have passed authentication on the LAC.
• LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs
a new round of LCP negotiation with the user.
The three authentication methods have different priorities, where LCP renegotiation has the highest
priority and proxy authentication has the lowest priority. Which method the LNS uses depends on
your configuration:
• If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses
LCP renegotiation.
• If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication
of users.
• If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses
the LAC for proxy authentication of users.
Configuring mandatory CHAP authentication
With mandatory CHAP authentication configured, a VPN user depending on a NAS to initiate
tunneling requests is authenticated twice: once by the NAS and once through CHAP on the LNS.
Some PPP clients might not support reauthentication, in which case LNS side CHAP authentication
will fail.
To configure mandatory CHAP authentication:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter L2TP group view.
l2tp-group
group-number N/A
To Next Page
Loading...
Need help?
General
