Overview

When endpoint admission detection (EAD) is used, a PPP user that has passed access authentication must also pass security authentication on the EAD server before accessing network resources. If the security authentication fails, the user can access only the resources in the quarantined area.

The following describes the detailed procedure:

1. The iNode client (the user host) connects to the LNS device through L2TP. After the client passes PPP authentication, the CAMS/iMC server issues the isolation ACL to the device, which will then filter packets from the client using the firewall function.

2. After the IP Control Protocol (IPCP) negotiation, the CAMS/iMC server notifies its IP address (this IP address is permitted by the isolation ACL) to the iNode client through the device.

3. The CAMS/iMC server performs EAD authentication and security checks on the iNode client. After the client passes the security authentication, the CAMS/iMC server issues a security ACL to the device to allow the client to access network resources.

Make sure that the ACLs to be assigned by the authentication server are configured appropriately on the LNS device. An empty ACL or incorrect ACL rules can cause EAD authentication to fail.

You can configure different ACLs for different hosts. The device filters packets of a host according to the configured ACL.

L2TP-based EAD is usually used for remote users. For LAN users, deploy portal authentication.

For information about packet filtering firewalls, AAA and RADIUS, and portal authentication, see HPE FlexNetwork MSR Router Series Comware 5 Security Configuration Guide.