F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

241

242

243

244

245

246

247

248

249

250

235

Item Descri

tion

Mandatory

LCP

After the LAC authenticates the client, the LNS may re-authenticate the client for

higher security. In this case, only when both the authentications succeed can

an L2TP tunnel be set up. On an L2TP network, an LNS authenticates users in

three ways: mandatory CHAP authentication, LCP re-negotiation, and proxy

authentication.

• Mandatory CHAP authentication—With mandatory CHAP authentication

configured, a VPN user that depends on a NAS to initiate tunneling

requests is authenticated twice: once when accessing the NAS and once on

the LNS by using CHAP.

• LCP re-negotiation—For a PPP user that depends on a NAS to initiate

tunneling requests, the user first performs PPP negotiation with the NAS. If

the negotiation succeeds, the NAS initiates an L2TP tunneling request and

sends the user's authentication information to the LNS. The LNS then

determines whether the user is valid according to the user authentication

information received. Under some circumstances (when authentication and

accounting are required on the LNS for example), another round of Link

Control Protocol (LCP) negotiation is required between the LNS and the

user. In this case, the user authentication information from the NAS is

neglected.

• Proxy authentication—If neither LCP re-negotiation nor mandatory CHAP

authentication is configured, an LNS performs proxy authentication of

users. In this case, the LAC sends to the LNS all authentication information

from users as well as the authentication mode configured on the LAC itself.

IMPORTANT:

• Among these three authentication methods, LCP re-negotiation has the

highest priority. If both LCP re-negotiation and mandatory CHAP

authentication are configured, the LNS uses LCP re-negotiation and the PPP

authentication method configured in the L2TP group,

• Some PPP clients may not support re-authentication, in which case LNS side

CHAP authentication will fail.

• With LCP re-negotiation, if no PPP authentication method is configured in

the L2TP group, the LNS will not re-authenticate users; it will assign public

addresses to the PPP users immediately. In other words, the users are

authenticated only once at the LAC end.

• When the LNS uses proxy authentication and the user authentication

information passed from the LAC to the LNS is valid:

{ If the authentication method configured in the L2TP group is PAP, the

proxy authentication succeeds and a session can be established for the

user.

{ If the authentication method configured in the L2TP group is CHAP but

that configured on the LAC is PAP, the proxy authentication will fail and

no session can be set up. This is because the level of CHAP

authentication, which is required by the LNS, is higher than that of PAP

authentication, which the LAC provides.

227BConfiguring an ISP domain

1. Click Add for ISP Domain in 837HFigure 158.