HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

231

232

233

234

235

236

237

238

239

240

228

Item Descri

tion

Mandatory LCP

After the LAC authenticates the client, the LNS may re-authenticate the

client for higher security. In this case, only when both the authentications

succeed can an L2TP tunnel be set up. On an L2TP network, an LNS

authenticates users in three ways: mandatory CHAP authentication, LCP

re-negotiation, and proxy authentication.

• Mandatory CHAP authentication—With mandatory CHAP

authentication configured, a VPN user that depends on a NAS to

initiate tunneling requests is authenticated twice: once when accessing

the NAS and once on the LNS by using CHAP.

• LCP re-negotiation—For a PPP user that depends on a NAS to initiate

tunneling requests, the user first performs PPP negotiation with the NAS.

If the negotiation succeeds, the NAS initiates an L2TP tunneling request

and sends the user's authentication information to the LNS. The LNS

then determines whether the user is valid according to the user

authentication information received. Under some circumstances (when

authentication and accounting are required on the LNS for example),

another round of Link Control Protocol (LCP) negotiation is required

between the LNS and the user. In this case, the user authentication

information from the NAS is neglected.

• Proxy authentication—If neither LCP re-negotiation nor mandatory

CHAP authentication is configured, an LNS performs proxy

authentication of users. In this case, the LAC sends to the LNS all

authentication information from users as well as the authentication

mode configured on the LAC itself.

IMPORTANT:

• Among these three authentication methods, LCP re-negotiation has the

highest priority. If both LCP re-negotiation and mandatory CHAP

authentication are configured, the LNS uses LCP re-negotiation and the

PPP authentication method configured in the L2TP group,

• Some PPP clients might not support re-authentication, in which case LNS

side CHAP authentication will fail.

• With LCP re-negotiation, if no PPP authentication method is configured

in the L2TP group, the LNS will not re-authenticate users; it will assign

public addresses to the PPP users immediately. In other words, the users

are authenticated only once at the LAC end.

• When the LNS uses proxy authentication and the user authentication

information passed from the LAC to the LNS is valid:

{ If the authentication method configured in the L2TP group is PAP, the

proxy authentication succeeds and a session can be established for

the user.

{ If the authentication method configured in the L2TP group is CHAP

but that configured on the LAC is PAP, the proxy authentication will

fail and no session can be set up. This is because the level of CHAP

authentication, which is required by the LNS, is higher than that of

PAP authentication, which the LAC provides.