No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring L2TP User Attributes

Configuring L2TP User Attributes

An L2TP tunnel is configured in the L2TP group view. You need to associate an L2TP group and a domain, that is, to configure L2TP user attributes. You need to note that the L2TP attributes delivered by the RADIUS server takes precedence over the locally configured L2TP attributes.

Context

After configuring an L2TP group, you can apply the L2TP group to a domain. Then, the domain and the L2TP tunnel can be associated. By associating a domain with an L2TP tunnel, the NE40E delivers the services of an ISP in a batch to the access server (LNS) of the ISP using the associated L2TP tunnel. In this manner, multi-ISP service wholesale is implemented.

Do as follows on the NE40E:

NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode becasue the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    The domain view is displayed.

  4. Run l2tp-group group-name

    An L2TP group is specified for the domain.

  5. (Optional) Run l2tp-user radius-force

    Users in the specified domain use the L2TP attributes delivered by the RADIUS server.

    The L2TP attributes for domain users can be specified by the L2TP group that belongs to the domain or delivered by the RADIUS server. When domain users use the L2TP attributes delivered by the RADIUS server, you do not need to specify the L2TP group for the domain, the L2TP group is invalid even though is specified.

    The RADIUS server can deliver the attributes such as tunnel-type(64), tunnel_client_endpoint (66), tunnel_server_endpoint (67), tunnel-client-auth-id (90), tunnel_password(69), and tunnel-assignment-id(82). If the RADIUS server does not deliver the L2TP group name, the NE40E considers the user as an ordinary PPP user.

    The L2TP attributes delivered by the RADIUS server have a higher priority than the local L2TP attributes. For example, if the LNS address configured in group lac1 is 10.10.10.1 and the RADIUS server delivers the LNS address 10.20.20.1 and L2TP group lac1, the LNS address 10.20.20.1 takes effect. If the RADIUS server delivers only the L2TP group lac1, the LNS address 10.10.10.1 takes effect.

    NOTE:

    The L2TP group name and the tunnel type must be delivered together so that the L2TP attributes delivered by the RADIUS server can take effect and the functions of the L2TP user can be implemented.

    The L2TP attributes delivered by the RADIUS server have a higher priority than the local L2TP attributes. If the L2TP attributes are not delivered by the RADIUS server, do not run this command. Otherwise, L2TP dial-up fails.

  6. (Optional) Run l2tp-authorize [ password { simple simple-password | cipher ciper-password } ]

    The LAC is configured to authenticate an L2TP user using the domain name of the user. This means that the LAC sends the domain name of the user and the set password to the RADIUS server for authentication.

    If the l2tp-authorize command is configured for a domain, there are the following cases:
    • When a new PPP user is to be authenticated by the RADUIS server, and the domain of the PPP user is configured with the l2tp-authorize command, the authentication is set to be the virtual user authentication in the user information table. Otherwise, the original processing flow is followed.
    • In the virtual router authentication, the LAC sends the user name (the domain name of the user) and the password (huawei by default) to the RADIUS server.
    • If the RADIUS server denies the authentication or the sending of the user name and password fails, the LAC sends the original PPP user name to the RADIUS server for the secondary authentication.
    • If the RADIUS server accepts the authentication request, but tunnel-type and TunnelServerEndpoint delivered by the RADUIS server are incorrect, the LAC sends the original PPP user name to the RADIUS server for the secondary authentication.
    • If the RADIUS server accepts the authentication request, and tunnel-type and TunnelServerEndpoint delivered by the RADUIS server are correct, accounting is performed for the PPP user, and the user name used in the accounting is the original PPP user name.

    If the l2tp-authorize command is not configured for a domain, the LAC sends the user name and password entered by the user to the RADIUS server for authentication.

  7. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 19206

Downloads: 79

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next