Configuring L2TP User Attributes

L2TP user attributes include the tunnel type, tunnel source and destination IP addresses, and tunnel name and password. Note that the L2TP user attributes delivered by a RADIUS server takes precedence over the locally configured L2TP attributes.

Context

After configuring an L2TP group, you can apply the L2TP group to a domain. The domain and the L2TP tunnel in the group are then associated, and the NetEngine 8000 F can then use the associated L2TP tunnel to deliver the services of an ISP in a batch to an access server (LNS). In this manner, multi-ISP service wholesale is implemented.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    The domain view is displayed.

  4. Run l2tp-group group-name

    An L2TP group is specified for the domain.

  5. (Optional) Run l2tp-user radius-force

    Users in the specified domain use the L2TP attributes delivered by the RADIUS server.

    The L2TP attributes of domain users can be specified by an L2TP group that belongs to the domain or delivered by the RADIUS server. When domain users use the L2TP attributes delivered by the RADIUS server, you do not need to specify an L2TP group for the domain. Even if you specify an L2TP group, it does not take effect.

    The RADIUS server can deliver such attributes as tunnel-type(64), tunnel_client_endpoint (66), tunnel_server_endpoint (67), tunnel-client-auth-id (90), tunnel_password(69), and tunnel-assignment-id(82). If the RADIUS server does not deliver any L2TP group name, the NetEngine 8000 F considers users as ordinary PPP users.

    The L2TP attributes delivered by a RADIUS server have a higher priority than the locally configured L2TP attributes. For example, if the LNS address is configured as 10.10.10.1 in the L2TP group lac1 and is delivered by a RADIUS server to a LAC as 10.20.20.1 in the L2TP group lac1, the LNS address 10.20.20.1 takes effect. If the RADIUS server delivers only the L2TP group lac1, the LNS address 10.10.10.1 takes effect.

    The L2TP group name and the tunnel type must be delivered together so that the L2TP attributes delivered by the RADIUS server can take effect and the L2TP user functions can be implemented.

    The L2TP attributes delivered by the RADIUS server have a higher priority than the locally configured L2TP attributes. If you do not want to use the L2TP attributes delivered by the RADIUS server, do not run the l2tp-user radius-force command. Otherwise, L2TP dial-up fails.

  6. (Optional) Run l2tp-authorize [ password { simple simple-password | cipher cipher-password } ]

    The LAC is configured to send the user domain name and password to the RADIUS server for authentication.

    For security purposes, use an eight-character or longer password that contains at least two types of the following: uppercase letters, lowercase letters, digits, and special characters. You are advised to configure your password in ciphertext mode and change it periodically.

    If the l2tp-authorize command is configured for a domain, the following authentication rules apply:
    • When a new PPP user is to be authenticated by the RADIUS server and resides in the domain configured with the l2tp-authorize command, virtual user authentication is set in the user information table. If the user is not to be authenticated by the RADIUS server and does not reside in the domain configured with the l2tp-authorize command, the original authentication flow for ordinary PPP users is followed.
    • When an Access-Request message is sent to a RADIUS server for virtual user authentication, the LAC sends the domain name as the username and the password (huawei by default) to the RADIUS server.
    • If the RADIUS server denies the authentication or the Access-Request message fails to be sent, the LAC sends the original PPP username to the RADIUS server for a secondary authentication.
    • If the RADIUS server accepts the authentication request, but tunnel-type and TunnelServerEndpoint delivered by the RADIUS server are incorrect, the LAC sends the original PPP username to the RADIUS server for a secondary authentication.
    • If the RADIUS server accepts the authentication request and tunnel-type and TunnelServerEndpoint delivered by the RADIUS server are correct, accounting is performed for the PPP user, and the username used in the accounting is the original PPP username.

    If the l2tp-authorize command is not configured for a domain, the LAC sends the username and password entered by the user to the RADIUS server for authentication.

  7. Run idle-cut idle-time { idle-data | zero-rate } [ inbound | outbound ]

    The function to log out a user when the user's traffic volume in a specified period is lower than a configured threshold is enabled.

    This command prevents a user from occupying bandwidth resources when no traffic is transmitted for the user for a long time.

  8. Run commit

    The configuration is committed.

Parent Topic: Configuring a LAC
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >