R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

241

242

243

244

245

246

247

248

249

250

240

Item Descri

tion

Mandatory

LCP

After the LAC authenticates the client, the LNS may re-authenticate the

client for higher security. In this case, only when both the authentications

succeed can an L2TP tunnel be set up. On an L2TP network, an LNS

authenticates users in three ways: mandatory CHAP authentication, LCP

re-negotiation, and proxy authentication.

• Mandatory CHAP authentication: With mandatory CHAP

authentication configured, a VPN user that depends on a NAS to

initiate tunneling requests is authenticated twice: once when accessing

the NAS and once on the LNS by using CHAP.

• LCP re-negotiation: For a PPP user that depends on a NAS to initiate

tunneling requests, the user first performs PPP negotiation with the NAS.

If the negotiation succeeds, the NAS initiates an L2TP tunneling request

and sends the user's authentication information to the LNS. The LNS

then determines whether the user is valid according to the user

authentication information received. Under some circumstances (when

authentication and accounting are required on the LNS for example),

another round of Link Control Protocol (LCP) negotiation is required

between the LNS and the user. In this case, the user authentication

information from the NAS will be neglected.

• Proxy authentication: If neither LCP re-negotiation nor mandatory CHAP

authentication is configured, an LNS performs proxy authentication of

users. In this case, the LAC sends to the LNS all authentication

information from users as well as the authentication mode configured

on the LAC itself.

IMPORTANT:

• Among these three authentication methods, LCP re-negotiation has the

highest priority. If both LCP re-negotiation and mandatory CHAP

authentication are configured, the LNS uses LCP re-negotiation and the

PPP authentication method configured in the L2TP group,

• Some PPP clients may not support re-authentication, in which case LNS

side CHAP authentication will fail.

• With LCP re-negotiation, if no PPP authentication method is configured

in the L2TP group, the LNS will not re-authenticate users; it will assign

public addresses to the PPP users immediately. In other words, the users

are authenticated only once at the LAC end.

• When the LNS uses proxy authentication and the user authentication

information passed from the LAC to the LNS is valid: if the

authentication method configured in the L2TP group is PAP, the proxy

authentication succeeds and a session can be established for the user;

if the authentication method configured in the L2TP group is CHAP but

that configured on the LAC is PAP, the proxy authentication will fail and

no session can be set up. This is because the level of CHAP

authentication, which is required by the LNS, is higher than that of PAP

authentication, which the LAC provides.