R3303-HP HSR6800 Routers Layer 2 - WAN Configuration Guide
85
• LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new
round of LCP negotiation with the user.
The three authentication methods have different priorities, where LCP renegotiation has the highest
priority and proxy authentication has the lowest priority. Which method the LNS uses depends on your
configuration:
• If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP
renegotiation.
• If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication of
users.
• If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the
LAC for proxy authentication of users.
Configuring mandatory CHAP authentication
With mandatory CHAP authentication configured, a VPN user depending on a NAS to initiate tunneling
requests is authenticated twice: once by the NAS and once through CHAP on the LNS.
Some PPP clients may not support reauthentication, in which case LNS side CHAP authentication will fail.
To configure mandatory CHAP authentication:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter L2TP group view.
l2tp-group group-number N/A
3. Configure mandatory CHAP
authentication.
mandatory-chap
By default, CHAP authentication is
not performed on an LNS.
Configuring LCP renegotiation
In a NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session. If the
negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information to the LNS.
The LNS then determines whether the user is valid according to the proxy authentication information
received.
Under some circumstances, for example, when authentication and accounting are needed on the LNS,
a new round of LCP negotiation is required between the LNS and the user, and the LNS authenticates the
user by using the authentication method configured on the corresponding VT interface.
If you enable LCP renegotiation but configure no authentication for the corresponding VT interface, the
LNS does not perform an additional authentication of users. Instead, the LNS directly allocates addresses
from the global address pool to PPP users authenticated by the LAC.
To specify the LNS to perform LCP renegotiation with users:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter L2TP group view.
l2tp-group group-number N/A
3. Specify the LNS to perform
LCP renegotiation with users.
mandatory-lcp
By default, an LNS does not
perform LCP renegotiation with
users.