Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

Configuring Access Profiles for L2TP or PPP Parameters

To validate Layer 2 Tunneling Protocol (L2TP) connections and session requests, you set up access profiles by configuring the profile statement at the [edit access] hierarchy level. You can configure multiple profiles. You can also configure multiple clients for each profile.

Tasks for configuring the access profile are:

  1. Configuring the Access Profile
  2. Configuring the L2TP Properties for a Profile
  3. Configuring the PPP Properties for a Profile
  4. Configuring the Authentication Order
  5. Configuring the Accounting Order
  6. Example: Access Profile Configuration

Configuring the Access Profile

To configure the profile, include the profile statement at the [edit access] hierarchy level:

[edit access]profile profile-name;

profile-name is the name assigned to the profile.

Note: The group-profile statement overrides the user-group-profile statement, which is configured at the [edit access profile profile-name] hierarchy level. The profile statement overrides the attributes configured at the [edit access group-profile profile-name] hierarchy level. For information about the user-group-profile statement, see Applying a Configured PPP Group Profile to a Tunnel.

When you configure a profile, you can only configure either L2TP or PPP parameters. You cannot configure both at the same time.

Configuring the L2TP Properties for a Profile

To configure the Layer 2 Tunneling Protocol (L2TP) properties for a profile, include the following statements at the [edit access profile profile-name] hierarchy level:

[edit access profile profile-name]authentication-order [ authentication-methods ];accounting-order radius;
client client-name {group-profile profile-name;l2tp {interface-id interface-id;lcp-renegotiation;local-chap;maximum-sessions-per-tunnel number;ppp-authentication (chap | pap);shared-secret shared-secret;}}
user-group-profile profile-name;

Configuring the PPP Properties for a Profile

To configure the PPP properties for a profile, include the following statements at the [edit access profile profile-name] hierarchy level:

[edit access profile profile-name]authentication-order [ authentication-methods ];
client client-name {chap-secret chap-secret;group-profile profile-name;pap-password pap-password;ppp {cell-overhead;encapsulation-overhead bytes;framed-ip-address ip-address;framed-pool framed-pool;idle-timeout seconds;interface-id interface-id;keepalive seconds;primary-dns primary-dns;primary-wins primary-wins;secondary-dns secondary-dns;secondary-wins secondary-wins;}}

Note: When you configure PPP properties for a profile, you typically configure the chap-secret statement or pap-password statement.

Configuring the Authentication Order

You can configure the order in which the Junos OS tries different authentication methods when authenticating peers. For each access attempt, the software tries the authentication methods in order, from first to last.

To configure the authentication order, include the authentication-order statement at the [edit access profile profile-name] hierarchy level:

[edit access profile profile-name]authentication-order [ authentication-methods ];

In authentication-methods, specify one or more of the following in the preferred order, from first tried to last tried:

  • radius—Verify the client using RADIUS authentication services.
  • password—Verify the client using the information configured at the [edit access profile profile-name client client-name] hierarchy level.

    Note: When you configure the authentication methods for L2TP, only the first configured authentication method is used.

For L2TP, RADIUS authentication servers are configured at the [edit access radius-server] hierarchy level. For more information about configuring RADIUS authentication servers, see Configuring RADIUS Authentication for L2TP.

If you do not include the authentication-order statement, clients are verified by means of password authentication.

Configuring the Accounting Order

You can configure RADIUS accounting for an L2TP profile.

With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC 2866.

To configure RADIUS accounting, include the accounting-order statement at the [edit access profile profile-name] hierarchy level:

[edit access profile profile-name]accounting-order radius;

When you enable RADIUS accounting for an L2TP profile, it applies to all the clients within that profile. You must enable RADIUS accounting on at least one LT2P profile for the RADIUS authentication server to send accounting stop and start messages.

Note: When you enable RADIUS accounting for an L2TP profile, you do not need to configure the accounting-port statement at the [edit access radius-server server-address] hierarchy level. When you enable RADIUS accounting for an L2TP profile, accounting is triggered on the default port of 1813.

For L2TP, RADIUS authentication servers are configured at the [edit access radius-server] hierarchy level.

Example: Access Profile Configuration

The following example shows a configuration of an access profile:

[edit access]
profile westcoast_bldg_1 {client white {chap-secret "$9$3s2690IeK8X7VKM7VwgaJn/Ctu1hclv87Ct87";# SECRET-DATAppp {idle-timeout 22;primary-dns 192.120.65.10;framed-ip-address 12.12.12.12/32;}group-profile westcoast_users;}client blue {chap-secret "$9$eq1KWxbwgZUHNdjqmTF3uO1Rhr-dsoJDNd";# SECRET-DATAgroup-profile sunnyvale_users;}authentication-order password;}
profile westcoast_bldg_1_tunnel {client test {l2tp {shared-secret "$9$r3HKvLg4ZUDkX7JGjif5p0BIRS8LN";# SECRET-DATAmaximum-sessions-per-tunnel 75;ppp-authentication chap;}group-profile westcoast_tunnel;}client production {l2tp {shared-secret "$9$R2QErv8X-goGylVwg4jiTz36/t0BEleWFnRh rlXxbs2aJDHqf3nCP5";# SECRET-DATAppp-authentication chap;}group-profile westcoast_tunnel;}}

Published: 2013-02-22

Supported Platforms

Published: 2013-02-22

Previous Page Next Page