Setting Up Virtual Private Networks
Configuring L2TP tunnels for dial-in clients
MAX 6000/3000 Network Configuration Guide 11-33
The last LCP Config Request packet the LAC sent to the client.
With this information, the LNS is not required to restart LCP negotiation.
The LAC implements proxy authentication for clients configured for PPP authentication on the
LAC. Following PPP authentication, the LAC sends the username and password to the LNS in
the appropriate L2TP AVPs.
Note: The current software version does not include support for proxy authentication for
terminal server authentication. The terminal server erases the username and password
immediately after authenticating the user.
LAC and LNS mode
The MAX unit can function as an LAC, an LNS, or both. L2TP supports multimode in which a
unit is both a LAC (foreign agent) and a LNS (home agent). As L2TP LNS, the unit terminates
the L2TP session and authenticates the user. If the user's profile on the LNS calls for an L2TP
tunnel, the LNS then switches that user's session. The unit acts as an L2TP LAC and originates
a new L2TP tunnel and session. The MAX unit operates as an LNS as far as the first LAC is
concerned, and as an LAC as far as the next hop is concerned.
Note: In L2TP switching, a MAX unit can be both a LNS and a LAC simultaneously for the
same session. The session arrives and is serviced by the unit acting as a LNS.
Tunnel authentication
You can configure the LNS to authenticate a tunnel during tunnel creation. You must enable
tunnel authentication on both the LAC and LNS.
On the LNS, you must create a Names/Passwords profile where:
The value in the Ethernet > Names/Passwords > Name parameter matches the value of the
System > Sys Config > Name parameter on the LAC.
The value of the Ethernet > Names/Passwords > Recv PW parameter matches the
password configured on the LAC.
On the LAC, you can specify the password with the Tunnel-Password attribute in the RADIUS
user profile for the connection initiating the session, or you can configure the password in a
Names/Passwords profile. If you create a Names/Passwords profile, the value of the Ethernet >
Names/Passwords > Name parameter must match the value of the Sy stem > Sys Config >
Name parameter on the LNS.
Conversely, you can configure the LAC and LNS to not require tunnel authentication.
Client authentication
Either the LAC, the LNS, or both, can perform PAP or CHAP authentication of clients for
which they create tunnels. If you configure the MAX to create tunnels on a per-line basis, only
the LNS can perform authentication, because the MAX automatically builds a tunnel to the
LNS for any call it receives on that line.
If you use RADIUS to configure L2TP on a per-user basis, and you specify the
Client-Port-DNIS attribute, the LAC does not perform PAP or CHAP authentication. If you
specify Client-Port-DNIS, the tunnel is created as soon as the LAC receives a DNIS number