Configuring the LNS to use the RADIUS server to authenticate mobile users in a Client-Initiated scenario

6

Configure the LNS to use the RADIUS server to authenticate mobile users in a Client-Initiated scenario as follows:
Example for Configuring L2TP VPN (RADIUS Authentication) in the Client-Initiated Scenario

Other related questions:
Does the AR used as the LNS support RADIUS authentication
The AR that functions as the L2TP network server (LNS) supports RADIUS authentication.

Method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000
The method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000 is as follows: A user connects to the LAC based on PPPoE and is authenticated by the RADIUS server. 1. Configure the LAC. a. Configure the default route. Assume that the next hop address on the path from the LAC to the LNS is 202.38.160.2. system-view [USG] sysname LAC [LAC] ip route-static 0.0.0.0 0.0.0.0 202.38.160.2 b. Create the virtual interface template and bind it with the interface. [LAC] interface Virtual-Template 1 [LAC-Virtual-Template1] ppp authentication-mode chap [LAC-Virtual-Template1] quit [LAC] interface GigabitEthernet 0/0/5 [LAC-GigabitEthernet0/0/5] pppoe-server bind virtual-template 1 [LAC-GigabitEthernet0/0/5] quit Note: You need to bind the virtual interface template with the interface that is connected to the dial-up user, so as to achieve the PPPoE Server function. c. Enable the L2TP. [LAC] l2tp enable d. Create and configure the L2TP group. [LAC] l2tp-group 1 [LAC-l2tp1] start l2tp ip 202.38.161.1 domain net1 [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password cipher Hello123 [LAC-l2tp1] tunnel name LAC [LAC-l2tp1] quit e. Create the authentication scheme. [LAC] aaa [LAC-aaa] authentication-scheme auth1 [LAC-aaa-authen-auth1] authentication-mode radius [LAC-aaa-authen-auth1] return f. Configure the RADIUS template. system-view [LAC] radius-server template temp [LAC-radius-temp] radius-server authentication 10.1.1.2 1812 [LAC-radius-temp] radius-server user-name domain-included g. By default, the radius-server user-name domain-included command has been configured. [LAC-radius-temp] radius-server shared-key key1 [LAC-radius-temp] quit h. Configure the domain, and apply the RADIUS template and authentication scheme. [LAC] aaa [LAC-aaa] domain net1 [LAC-aaa-domain-net1] authentication-scheme auth1 [LAC-aaa-domain-net1] radius-server temp [LAC-aaa-domain-net1] quit 2. Configure the LNS. a. Create the virtual interface template. system-view [USG] sysname LNS [LNS] interface Virtual-Template 1 b. Configure the virtual interface template. [LNS-Virtual-Template1] ip address 10.2.1.1 24 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit c. Enable the L2TP. [LNS] l2tp enable d. Create and configure the L2TP group. [LNS] l2tp-group 1 [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel authentication [LAC-l2tp1] tunnel name LNS [LNS-l2tp1] tunnel password cipher Hello123 [LNS-l2tp1] quit a. Create the authentication scheme. [LNS] aaa [LNS-aaa] authentication-scheme auth1 [LNS-aaa-authen-auth1] authentication-mode radius [LNS-aaa-authen-auth1] return b. Configure the RADIUS template. system-view [LNS] radius-server template temp [LNS-radius-temp] radius-server authentication 10.1.2.2 1812 [LNS-radius-temp] radius-server user-name domain-included c. By default, the radius-server user-name domain-included command has been configured. [LNS-radius-temp] radius-server shared-key key1 [LNS-radius-temp] quit d. Configure the domain, and apply the RADIUS template and authentication scheme. [LNS] aaa [LNS-aaa] domain net1 [LNS-aaa-domain-net1] authentication-scheme auth1 [LNS-aaa-domain-net1] radius-server temp e. Configure the IP address pool. [LNS-aaa-domain-net1] ip pool 1 10.2.1.2 10.2.1.99 [LNS-aaa-domain-net1] quit f. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

Why does RADIUS authentication fail when the RADIUS server template and RADIUS server are properly configured
This problem has the following possible causes: -The IP address of the router (a RADIUS client) is not configured on the RADIUS server, so the RADIUS server cannot send an authentication response packet to the router. -Different shared keys are configured on the router and the RADIUS server.

How to configure remote authentication for 802.1x authentication users on S series switches
802.1x authentication user information (including the user name, password, and other attributes) for remote authentication and authorization is configured on a remote AAA server. Remote authentication and authorization for 802.1x authentication users feature high network security. For S series and E series switches (except the S1700) running V200R003C10 and earlier versions, NAC can be configured only in common mode. For switches running V200R005C00 and later versions, NAC can be configured in common or unified mode. Accordingly, remote authentication for 802.1x authentication users can be configured in common or unified mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. The following links are for reference only. - For the configuration example in common mode, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Common Mode) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running versions from V200R005C00 to V200R008C00, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R005C00 to, V200R008C00) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running V200R009C00 and later versions, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R009C00 and Later Versions) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Configuration Guide - User Access and Authentication.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top