L2TP-based EAD
When EAD is used, a PPP user that has passed access authentication must also pass security authentication on the EAD server before accessing network resources. If the security authentication fails, the user can access only the resources in the quarantined area.
This function is implemented in the following procedure:
The iNode client (the user host) connects to the LNS device through L2TP. After the client passes PPP authentication, the CAMS/IMC server issues the isolation ACL to the device, which will then filter packets from the client by using the firewall function.
After the IPCP negotiation, the CAMS/IMC server notifies the iNode client of its IP address (this IP address is permitted by the isolation ACL) through the device.
The CAMS/IMC server performs EAD authentication and security checks on the iNode client. After the client passes the security authentication, the CAMS/IMC server issues a security ACL to the device to allow the client to access network resources.
When you configure L2TP-based EAD, follow these guidelines:
Make sure that the ACLs to be assigned by the authentication server are configured appropriately on the LNS device. An empty ACL or incorrect ACL rules can cause EAD authentication failure.
You can configure different ACLs for different hosts. The device filters packets of a host according to the configured ACL.
L2TP-based EAD is usually used for remote users. For LAN users, deploy portal authentication.
For information about packet-filter firewalls, AAA, RADIUS, and portal authentication, see HPE FlexNetwork MSR Router Series Comware 5 Security Configuration Guide.