16
Item Description
Mandatory CHAP
Configure user authentication on an LNS.
You can configure an LNS to authenticate a user who has
passed authentication on the LAC to increase security. In this
case, an L2TP tunnel can be set up only when both of the
authentications succeed. An LNS can authenticate users the
following ways:
• Mandatory CHAP authentication—A VPN user who
depends on a NAS to initiate tunneling requests is
authenticated twice, once when accessing the NAS and
once on the LNS by using CHAP.
• LCP re-negotiation—A PPP user who depends on a NAS
to initiate tunneling requests first performs PPP negotiation
with the NAS. If the negotiation succeeds, the NAS initiates
an L2TP tunneling request and sends the user
authentication information to the LNS. The LNS then
determines whether the user is valid according to the user
authentication information received. Under some
circumstances (when authentication and accounting are
required on the LNS for example), another round of LCP
negotiation is required between the LNS and the user. In
this case, the user authentication information from the NAS
will be neglected.
• Proxy authentication—If neither LCP re-negotiation nor
mandatory CHAP authentication is configured, an LNS
performs proxy authentication of users. In this case, the
LAC sends to the LNS all authentication information from
users and the authentication mode configured on the LAC
itself.
IMPORTANT:
• Among these three authentication methods, LCP
re-negotiation has the highest priority. If both LCP
re-negotiation and mandatory CHAP authentication are
configured, the LNS uses LCP re-negotiation and the PPP
authentication method configured in the L2TP group.
• With LCP re-negotiation, if no PPP authentication method
is configured in the L2TP group, the LNS will not
re-authenticate users. It will assign public addresses to the
PPP users immediately. In other words, the users are
authenticated only once at the LAC end.
• Some PPP clients might not support re-authentication, in
which case LNS side CHAP authentication will fail.
• When the LNS uses proxy authentication and the user
authentication information received from the LAC is valid, if
the authentication method configured in the L2TP group is
PAP, the proxy authentication succeeds and a session can
be established for the user. If the authentication method
configured in the L2TP group is CHAP but that configured
on the LAC is PAP, the proxy authentication fails and no
session can be set up. This is because the level of CHAP
authentication, which is required by the LNS, is higher than
that of PAP authentication, which the LAC provides.
Mandatory LCP
To Next Page
Loading...
Need help?
General
