614 CHAPTER 43: CONFIGURING L2TP
information (ACK) and wait for some time before clearing the tunnel, so that the
request transmitted again from the peer can be properly received when ACK
message is lost. After disconnecting the tunnel by force, all control connections
and session connections on the tunnel will also be cleared. After tunnel
disconnection, a new tunnel will be established again when new users dial in.
Perform the following configuration in system view.
Table 679 Force to Disconnect Channel
Configure to Force the
Local End to Implement
CHAP Authentication
This configuration is applicable to LNS only.
After LAC performs the proxy authentication for dial-up users, LNS can
authenticate these users again. In this case, the users will be authenticated twice,
the first authentication being at LAC and the second one at LNS side. Only after
passing both of the authentications can the L2TP tunnel be established.
In actual L2TP application, there are three methods of authentication: proxy
authentication, forcing CHAP authentication and LCP renegotiation.
■ The priority of LCP renegotiation has the highest priority among the three
types, which means if LCP renegotiation and forcing CHAP authentication are
configured at LNS at the same time, L2TP will adopt LCP renegotiation first and
then use authentication methods configured on corresponding virtual
template.
■ If only forcing CHAP authentication is configured, LNS will authenticate users
by means of CHAP. Only after user name, password and authentication are
configured at LNS, and AAA function is enabled, can the process of forcing
CHAP authentication locally take effect.
■ If neither LCP renegotiation nor forcing CHAP authentication is configured, LNS
will perform the proxy authentication for the users. In this case, LAC conveys all
the authentication information received from users and the information
configured at LAC itself to LNS, and LNS will authenticate users according to
the information and authentication mode of LAC. When proxy authentication
is used at LNS, if LAC is configured with PAP, while the virtual interface
template at LNS is configured with CHAP, which is higher than PAP, the process
of authentication fails all the time and no sessions can be created.
If the aaa authentication-scheme ppp default none is configured at LAC side,
the AAA authentication will not be enabled, no matter whether PAP or CHAP
authentication is adopted at LAC side. However, after the authentication mode is
transmitted to LNS, LNS will still authenticate the user, no matter whether LNS is
configured with
aaa-enable command.
Perform the following configurations in L2TP group view.
Operation Command
Force to disconnect tunnel reset l2tp tunnel remote-name