R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

111

112

113

114

115

116

117

118

119

120

108

With mandatory CHAP authentication configured, a VPN user that depends on a NAS to initiate

tunneling requests is authenticated twice: once when accessing the NAS and once on the LNS by using

CHAP.

Follow these steps to configure mandatory CHAP authentication:

To do… Use the command…

Remarks

Enter system view system-view —

Enter L2TP group view l2tp-group group-number —

Configure mandatory CHAP

authentication

mandatory-chap

Required

By default, CHAP authentication is

not performed on an LNS.

NOTE:

• When the LNS uses proxy authentication, a session can be established for a user when the user passes

the authentication and the authentication type configured on the virtual interface template is PAP.

• If the LNS uses proxy authentication and the authentication method confi

ured on the virtual interface

template is CHAP but the authentication method on the LAC is PAP, the authentication will fail and no

session can be set up. This is because the level of the CHAP authentication required by the LNS is hi

her

than that of the PAP authentication provided by the LAC.

• Some PPP clients may not support re-authentication, in which case LNS side CHAP authentication will

fail.

2. Specifying to perform LCP re-negotiation with users

In an NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session. If the

negotiation succeeds, the NAS initiates an L2TP tunneling request and sends the user information to the

LNS. The LNS then determines whether the user is valid according to the proxy authentication

information received.

Under some circumstances (when there is a need to perform authentication and accounting on the LNS,

for example), another round of Link Control Protocol (LCP) negotiation is required between the LNS and

the user. In this case, the proxy authentication information from the NAS will be neglected.

If you enable LCP re-negotiation but configure no authentication for the corresponding virtual interface

template, the LNS will not perform additional authentication of users (in this case, users are authenticated

only once on the LAC) and will directly allocate addresses from the global address pool to the PPP users.

Follow these steps to specify to perform LCP re-negotiation with users:

To do… Use the command…

Remarks

Enter system view system-view —

Enter L2TP group view l2tp-group group-number —

Specify to perform LCP

re-negotiation with users

mandatory-lcp

Required

By default, an LNS does not

perform LCP re-negotiation with

users.

Configuring AAA authentication of VPN users on LNS side

You need to configure AAA on the LNS when either of the following is true:

• Mandatory CHAP authentication is configured on the LNS