Generally, the L2TP users are authenticated on the LAC, and the LNS does not need to authenticate the L2TP users. If the LNS does not trust the LAC, the LNS can re-authenticate the users after they are connected to the LNS.
The LNS can authenticate a user twice. The first authentication is performed on the LAC and the second authentication is performed on the LNS. Note that "none" is also an authentication mode.
On the LNS, the user can be authenticated in proxy mode, forcible CHAP mode, or forcible LCP renegotiation mode. The
mandatory-chap command configures forcible CHAP re-authentication; the
mandatory-lcp command configures LCP renegotiation.
Proxy authentication refers to that the LAC sends all information about a user and the locally-configured authentication mode to the LNS, and then the LNS authenticates a user based on received information.
If the LCP renegotiation and forcible CHAP authentication are not configured, the LNS authenticates the user information through proxy.
Proxy authentication refers to that the LAC sends all information about a user and the locally-configured authentication mode to the LNS, and then the LNS authenticates a user based on received information.
After the
mandatory-chap command is configured on the LNS, if the authentication mode between the LAC and client is not CHAP, the LNS uses the authentication mode configured in the VT template to renegotiate the authentication mode with the client.
