HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

251

252

253

254

255

256

257

258

259

260

242

Ste

Command

Remarks

3. Specify the VT interface for

receiving calls, the tunnel name

on the LAC, and the domain

name.

• If the L2TP group number is 1

(the default):

allow l2tp virtual-template

virtual-template-number

[ remote remote-name ]

[ domain domain-name ]

• If the L2TP group number is

not 1:

allow l2tp virtual-template

virtual-template-number

[ remote remote-name ]

[ domain domain-name ]

Use either command.

By default, an LNS denies all

incoming calls.

If the L2TP group number is 1, do

not specify the LAC side tunnel

name. In L2TP group 1, the LNS

allows the LAC to initiate a

tunneling request by using any

tunnel name.

Configuring user authentication on an LNS

An LNS may be configured to authenticate a user that has passed authentication on the LAC to increase

security. In this case, the user is authenticated twice, once on the LAC and once on the LNS. Only when

the two authentications succeed can an L2TP tunnel be set up. This helps raise security.

An LNS authenticates users by using one of the following methods:

• Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all

user authentication information from users and the authentication mode configured on the LAC itself.

The LNS then checks the user validity according to the received information and the locally

configured authentication method.

• Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate users who

have passed authentication on the LAC.

• LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new

round of LCP negotiation with the user.

The three authentication methods have different priorities, where LCP renegotiation has the highest

priority and proxy authentication has the lowest priority. Which method the LNS uses depends on your

configuration:

• If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP

renegotiation.

• If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication of

users.

• If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the

LAC for proxy authentication of users.

1. Configuring mandatory CHAP authentication

With mandatory CHAP authentication configured, a VPN user depending on a NAS to initiate

tunneling requests is authenticated twice: once by the NAS and once through CHAP on the LNS.

Some PPP clients might not support reauthentication, in which case LNS side CHAP authentication

will fail.

To configure mandatory CHAP authentication:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter L2TP group view.

l2tp-group group-number N/A