Method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000

0

The method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000 is as follows:
A user connects to the LAC based on PPPoE and is authenticated by the RADIUS server.
1. Configure the LAC.
a. Configure the default route. Assume that the next hop address on the path from the LAC to the LNS is 202.38.160.2.
system-view
[USG] sysname LAC
[LAC] ip route-static 0.0.0.0 0.0.0.0 202.38.160.2
b. Create the virtual interface template and bind it with the interface.
[LAC] interface Virtual-Template 1
[LAC-Virtual-Template1] ppp authentication-mode chap
[LAC-Virtual-Template1] quit
[LAC] interface GigabitEthernet 0/0/5
[LAC-GigabitEthernet0/0/5] pppoe-server bind virtual-template 1
[LAC-GigabitEthernet0/0/5] quit
Note:
You need to bind the virtual interface template with the interface that is connected to the dial-up user, so as to achieve the PPPoE Server function.
c. Enable the L2TP.
[LAC] l2tp enable
d. Create and configure the L2TP group.
[LAC] l2tp-group 1
[LAC-l2tp1] start l2tp ip 202.38.161.1 domain net1
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password cipher Hello123
[LAC-l2tp1] tunnel name LAC
[LAC-l2tp1] quit
e. Create the authentication scheme.
[LAC] aaa
[LAC-aaa] authentication-scheme auth1
[LAC-aaa-authen-auth1] authentication-mode radius
[LAC-aaa-authen-auth1] return
f. Configure the RADIUS template.
system-view
[LAC] radius-server template temp
[LAC-radius-temp] radius-server authentication 10.1.1.2 1812
[LAC-radius-temp] radius-server user-name domain-included
g. By default, the radius-server user-name domain-included command has been configured.
[LAC-radius-temp] radius-server shared-key key1
[LAC-radius-temp] quit
h. Configure the domain, and apply the RADIUS template and authentication scheme.
[LAC] aaa
[LAC-aaa] domain net1
[LAC-aaa-domain-net1] authentication-scheme auth1
[LAC-aaa-domain-net1] radius-server temp
[LAC-aaa-domain-net1] quit
2. Configure the LNS.
a. Create the virtual interface template.
system-view
[USG] sysname LNS
[LNS] interface Virtual-Template 1
b. Configure the virtual interface template.
[LNS-Virtual-Template1] ip address 10.2.1.1 24
[LNS-Virtual-Template1] ppp authentication-mode chap
[LNS-Virtual-Template1] quit
c. Enable the L2TP.
[LNS] l2tp enable
d. Create and configure the L2TP group.
[LNS] l2tp-group 1
[LNS-l2tp1] allow l2tp virtual-template 1
[LNS-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel name LNS
[LNS-l2tp1] tunnel password cipher Hello123
[LNS-l2tp1] quit
a. Create the authentication scheme.
[LNS] aaa
[LNS-aaa] authentication-scheme auth1
[LNS-aaa-authen-auth1] authentication-mode radius
[LNS-aaa-authen-auth1] return
b. Configure the RADIUS template.
system-view
[LNS] radius-server template temp
[LNS-radius-temp] radius-server authentication 10.1.2.2 1812
[LNS-radius-temp] radius-server user-name domain-included
c. By default, the radius-server user-name domain-included command has been configured.
[LNS-radius-temp] radius-server shared-key key1
[LNS-radius-temp] quit

d. Configure the domain, and apply the RADIUS template and authentication scheme.
[LNS] aaa
[LNS-aaa] domain net1
[LNS-aaa-domain-net1] authentication-scheme auth1
[LNS-aaa-domain-net1] radius-server temp
e. Configure the IP address pool.
[LNS-aaa-domain-net1] ip pool 1 10.2.1.2 10.2.1.99
[LNS-aaa-domain-net1] quit
f. Allocate an address in the IP address pool to the peer interface.
[LNS] interface virtual-template 1
[LNS-Virtual-Template1] remote address pool 1
[LNS-Virtual-Template1] quit

Other related questions:
Configuration of the NAS-Initialized VPN on the USG2000 and USG5000
The method used to configure the NAS-Initialized VPN (local authentication) on the USG2000 and USG5000 is as follows: The PC is connected to the LAC by means of PPP dialup. The LAC and LNS communicate over a tunnel on a WAN. The user accesses the network using the domain name. The user name and password are authenticated on the LAC and LNS in local authentication mode. 1. Configure the LAC. a. Create the virtual interface template and bind it with the interface. system-view [LAC] interface Virtual-Template 1 [LAC-Virtual-Template1] ppp authentication-mode chap [LAC-Virtual-Template1] quit [LAC] interface GigabitEthernet 0/0/1 [LAC-GigabitEthernet0/0/1] pppoe-server bind virtual-template 1 [LAC-GigabitEthernet0/0/1] quit b. Enable the L2TP. [LAC] l2tp enable c. Create and configure the L2TP group. [LAC] l2tp-group 1 [LAC-l2tp1] tunnel name LAC [LAC-l2tp1] start l2tp ip 202.38.163.1 domain domain1.com [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password cipher Password1 [LAC-l2tp1] quit d. Configure the domain name suffix separator. [LAC] l2tp domain suffix-separator @ e. Set the user name and password (consistent with those configured on the user side). [LAC] aaa [LAC-aaa] local-user vpdnuser@domain1.com password cipher Hello123 f. Configure the domain accessed by the user. [LAC-aaa] domain domain1.com 2. Configure the LNS. a. Create virtual template Virtual-Template and configure the related information. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit b. Enable the L2TP. [LNS] l2tp enable c. Create and configure the L2TP group. [LNS] l2tp-group 1 [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 remote LAC [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher Password1 e. Configure forcible CHAP verification on the local end. [LNS-l2tp1] mandatory-chap [LNS-l2tp1] quit f. Configure the domain name suffix separator. [LNS] l2tp domain suffix-separator @ g. Set the user name and password (consistent with those configured on the LAC). [LNS] aaa [LNS-aaa] local-user vpdnuser@domain1.com password cipher Hello123 h. Configure the domain name accessed by the user. [LNS-aaa] domain domain1.com i. Configure the address pool allocated to the user. [LNS-aaa-domain-domain1.com] ip pool 1 192.168.0.2 192.168.0.100 [LNS-aaa-domain-domain1.com] quit [LNS-aaa] quit Note: Because the addresses in the IP address pool are not in the same network segment as the intranet addresses, you need to configure the route to network segment 192.168.0.0 on the HQ device, and set the next hop address to 192.168.1.1. j. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

Configuration of the Client-Initialized VPN on the USG2000 and USG5000
The method used to configure the Client-Initialized VPN on the USG2000 and USG5000 is as follows: The LAC client can directly initiates a tunnel establishment request to the LNS bypassing the LAC. The LNS allocates an address to the LAC client. The HQ network can connect to the Internet through the LNS. An employee on a business trip can directly initiate a tunnel establishment request to the LNS by means of L2TP dialup. The L2TP client software must be installed on the PC of the employee. Configure the Client-Initialized VPN using the CLI: 1. Configure the LNS. a. Create and configure the virtual interface template. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit b. Enable the L2TP. [LNS] l2tp enable c. Create and configure the L2TP group. [LNS] l2tp-group 1 d. Configure local tunnel name on the LNS end and the received peer tunnel name. [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher Password123 Note: If you use the L2TP client software provided by the Windows system to dial up, you must disable the L2TP tunnel verification function. e. Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 192.168.0.2 192.168.0.100 f. Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit Note: Because the addresses in the IP address pool are not in the same network segment as the intranet addresses, you need to configure the route to network segment 192.168.0.0 on the HQ device, and set the next hop address to 192.168.1.1. g. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

Configuring IPS for the USG2000 and USG5000
Configure IPS on the USG2000 or USG5000. The procedure is as follows: 1. Configure global IPSec parameters. system-view //Access the system view. ips enable //Enable the IPS function. system-view //Access the system view. ips mode { protective | warning } //Configure the IPS operating mode. 2. Configure the IPS signature, upgrade the predefined signature, or configure a custom signature. The procedure for configuring a custom signature is as follows: ips signature signature-id //Create a custom IPS signature and access the IPS signature view. a. name name //Configure the name of the custom IPS signature. b. protocol protocol-name [ [ severity { informational | notification | warning | error | critical } ] | [ direction { to-server | to-client | any } ] | [ source-ip { any | ip-address mask } ] | [ source-port { any | port-number | high | low } ] | [ destination-ip { any | ip-address mask } ] | [ destination-port { any | port-num | high | low } ] | [ offset { { packet | stream } offset-value | any } ] | [ max-stream-len { stream-len | any } ] ] * //Configure the protocol, severity, and direction of the custom IPS signature. c. regex regex //Configure the description of behavioral characteristics of attacks. 3. Configure the IPS policy. ips policy policy-name //Access the IPS policy view. signature-set signature-set-name //Create a signature set and access the signature set view. direction enable //Enable the function of filtering signatures in the signature set based on signature directions. direction { { to-server | to-client | any } * | all } //Add signatures of the specified direction to the signature set. severity enable //Enable the function of filtering signatures in the signature set based on signature severities. severity { above | below } { informational | notification | warning | error |critical } //Add signatures of the specified severity to the signature set. reliability enable //Enable the function of filtering signatures in the signature set based on signature reliability. reliability { above | below } { low | medium | high } //Add signatures of the specified reliability to the signature set. protocol enable //Enable the function of filtering signatures in the signature set based on protocols. protocol { protocol-name &<1-10> | all } //Add signatures of the specified protocol to the signature set. protocol enable //Enable the function of filtering signatures in the signature set based on categories. category mode { or | and } //Configure the matching mode for categories in the signature set. category { category-name &<1-10> | all } //Add signatures of the specified category to the signature set. signature-set [ enable ] action { alert | block } //Configure the enabling status and response mode of the signature set. signature-set move signature-set-name1 { before | after } signature-set-name2 //Modify the priority of the signature set. ips policy policy-name //Create an IPS policy named policy-name. override-signature signature-id enable action { block | alert } //Enable signature overriding and configure the response mode. 4. Apply the IPS policy. policy zone zone-name //Access the intra-zone firewall policy view. policy interzone zone-name1 vpn-instance vpn-instance-name zone-name2 { inbound | outbound }, //Access the inter-zone firewall policy view. policy policy-id //Create a firewall policy and access the policy ID view. action permit //Configure the action of the firewall policy to permit. policy ips ips-policy //Apply the IPS policy.

Method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000
The method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000 is as follows: Most carriers adopt the MPLS VPN networking. However, the MPLS VPN cannot satisfy special requirements. For example: a. A user is served by a VPN and needs to access resources in another VPN. b. The carrier provides a shared LNS to enterprise users who use the MPLS VPN. Mobile users of the enterprise access the enterprise intranet over the LNS. The LNS is shared by multiple enterprise users. Therefore, the LNS needs to access different users to the corresponding VPNs. Procedure 1. Configure the LAC. a. Set the user name and password. b. Create two zones. c. Configure the domain name suffix separator. [LAC] l2tp domain suffix-separator @ d. Create the virtual interface template and bind it with the interface. e. Set two L2TP groups and configure the related attributes. 2. Configure the LNS. a. Create two VPN instances vpna and vpnb. b. Configure an interface connected to enterprise network A, and bind the interface with vpna. c. Configure an interface connected to enterprise network B, and bind the interface with vpnb. d. Create the authentication scheme. e. Configure the RADIUS template. f. Configure the domain name suffix separator. [LNS] l2tp domain suffix-separator @ g. Create two Virtual-Template templates bound with vpna and vpnb. h. Create two zones and bind the zones to the corresponding virtual templates and address pools. i. Create two L2TP groups.

Method used to configure RADIUS authentication on the AR
RADIUS authentication is a remote authentication mode. An access device used as a RADIUS client collects user information (such as the user name and password) and sends the user information to a remote RADIUS server (AAA server). The RADIUS server authenticates users based on the information, and performs authorization and accounting for the users after the users are authenticated. The RADIUS server uniformly authenticates and manages (such as accounting) users to ensure network security.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top