R0106-HP MSR Router Series Layer 2 - WAN Configuration Guide(V7)
69
Step Command Remarks
3. Configure the LNS to accept
tunneling requests from a
specified LAC and specify the VT
interface to be used for tunnel
setup.
• If the L2TP group number is 1:
allow l2tp virtual-template
virtual-template-number
[ remote remote-name ]
• If the L2TP group number is
not 1:
allow l2tp virtual-template
virtual-template-number
remote remote-name
Use either command.
By default, an LNS denies
tunneling requests from any LAC.
If the L2TP group number is 1, the
remote remote-name option is
optional. If you do not specify this
option, the LNS accepts tunneling
requests from any LAC.
Configuring user authentication on an LNS
An LNS can be configured to authenticate a user that has passed authentication on the LAC to increase
security. In this case, the user is authenticated twice: once on the LAC and once on the LNS. An L2TP
tunnel can be established only when both authentications succeed.
An LNS authenticates users by using one of the following methods:
• Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all
user authentication information from users and the authentication method configured on the LAC
itself. The LNS then checks the user validity according to the received information and the locally
configured authentication method.
• Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate users who
have passed authentication on the LAC.
• LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new
round of LCP negotiation with the user.
The three authentication methods have different priorities, where LCP renegotiation has the highest
priority and proxy authentication has the lowest priority. Which method the LNS uses depends on your
configuration:
• If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP
renegotiation.
• If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication for
users after proxy authentication succeeds.
• If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the
LAC for proxy authentication.
Configuring mandatory CHAP authentication
When mandatory CHAP authentication is configured, a user who depends on an LAC to initiate
tunneling requests is authenticated twice: once by the LAC and once on the LNS. Some users might not
support the authentication on the LNS. In this situation, do not enable this feature, because CHAP
authentication on the LNS will fail.
For this feature to take effect, you must also configure CHAP authentication for the PPP user on the VT
interface of the LNS.
To configure mandatory CHAP authentication: