Configuring user authentication on an LNS
You can configure an LNS to authenticate a user that has passed authentication on the LAC to increase security. In this case, the user is authenticated twice, once on the LAC and once on the LNS. Only when the two authentications succeed can an L2TP tunnel be set up. This helps raise security.
An LNS authenticates users by using one of the following methods:
Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all user authentication information from users and the authentication mode configured on the LAC itself. The LNS then checks the user validity according to the received information and the locally configured authentication method.
Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate users who have passed authentication on the LAC.
LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new round of LCP negotiation with the user.
The three authentication methods have different priorities, where LCP renegotiation has the highest priority and proxy authentication has the lowest priority. Which method the LNS uses depends on your configuration:
If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP renegotiation.
If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication of users.
If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the LAC for proxy authentication of users.
Configuring mandatory CHAP authentication
With mandatory CHAP authentication configured, a VPN user depending on a NAS to initiate tunneling requests is authenticated twice: once by the NAS and once through CHAP on the LNS.
Some PPP clients might not support reauthentication, in which case LNS side CHAP authentication will fail.
To configure mandatory CHAP authentication:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter L2TP group view. | l2tp-group group-number | N/A |
3. Configure mandatory CHAP authentication. | mandatory-chap | By default, CHAP authentication is not performed on an LNS. |
Configuring LCP renegotiation
In a NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session. If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information to the LNS. The LNS then determines whether the user is valid according to the proxy authentication information received.
Under some circumstances, for example, when authentication and accounting are needed on the LNS, a new round of LCP negotiation is required between the LNS and the user, and the LNS authenticates the user by using the authentication method configured on the corresponding VT interface.
If you enable LCP renegotiation but configure no authentication for the corresponding VT interface, the LNS does not perform an additional authentication of users. Instead, the LNS directly allocates addresses from the global address pool to PPP users authenticated by the LAC.
To specify the LNS to perform LCP renegotiation with users:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter L2TP group view. | l2tp-group group-number | N/A |
3. Specify the LNS to perform LCP renegotiation with users. | mandatory-lcp | By default, an LNS does not perform LCP renegotiation with users. |