Configuring the Group Profile for L2TP and PPP
Group Profiles Overview
Optionally, you can configure the group profile to define the Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol (L2TP) attributes. Any client referencing the configured group profile inherits all the group profile attributes.
The group-profile statement overrides the user-group-profile statement, which is configured at the [edit access profile profile-name] hierarchy level. The profile statement overrides the attributes configured at the [edit access group-profile profile-name] hierarchy level. For information about the user-group-profile statement, see Applying a Configured PPP Group Profile to a Tunnel.
Configuring L2TP for a Group Profile
To configure the Layer 2 Tunneling Protocol (L2TP) for the group profile, include the following statements at the [edit access group-profile profile-name l2tp] hierarchy level:
interface-id is the identifier for the interface representing an L2TP session configured at the [edit interfaces interface-name unit local-unit-number dial-options] hierarchy level.
You can configure the LNS so that it renegotiates the link control protocol (LCP) with the PPP client (in the renegotiation statement). By default, the PPP client negotiates the LCP with the L2TP access concentrator (LAC). When you do this, the LNS discards the last sent and the last received LCP configuration request attribute value pairs (AVPs) from the LAC; for example, the LCP negotiated between the PPP client and the LAC.
You can configure the Junos OS so that the LNS ignores proxy authentication AVPs from the LAC and reauthenticates the PPP client using a CHAP challenge (in the local-chap statement). When you do this, the LNS directly authenticates the PPP client. By default, the PPP client is not reauthenticated by the LNS.
number is the maximum number of sessions per L2TP tunnel.
Configuring the PPP Attributes for a Group Profile
To configure the Point-to-Point Protocol (PPP) attributes for a group profile, include the following statements at the [edit access group-profile profile-name ppp] hierarchy level:
The cell-overhead statement configures the session to use Asynchronous Transfer Mode (ATM)-aware egress shaping on the IQ2 PIC.
bytes (in the encapsulation-overhead statement) configures the number of bytes used as overhead for class-of-service calculations.
pool-id (in the framed-pool statement) is the name assigned to the address pool.
seconds (in the idle-timeout statement) is the number of seconds a user can remain idle before the session is terminated. By default, idle timeout is set to 0. You can configure this to be a value in the range from 0 through 4,294,967,295.
interface-id (in the interface-id statement) is the identifier for the interface representing an L2TP session configured at the [edit interfaces interface-name unit local-unit-number dial-options] hierarchy level.
seconds (in the keepalive statement) is the time period that must elapse before the Junos OS checks the status of the PPP session by sending an echo request to the peer. For each session, Junos OS sends out three keepalives at 10-second intervals and the session is close if there is no response. By default, the time to send a keepalive message is set to 10 seconds. You configure this to be a value in the range from 0 through 32,767.
primary-dns (in the primary-dns statement) is an IP version 4 (IPv4) address.
secondary-dns (in the secondary-dns statement) is an IPv4 address.
primary-wins (in the primary-wins statement) is an IPv4 address.
secondary-wins (in the secondary-wins statement) is an IPv4 address.
Example: Configuring a Group Profile for PPP and L2TP
CLI Quick Configuration
Applying a Configured PPP Group Profile to a Tunnel
On Mi7 and M10i routers, you can optionally apply a configured PPP group profile to a tunnel. For any tunnel client, you can use the user-group-profile statement to define default PPP attributes for all users coming in through a tunnel. The user group profile must define PPP attributes. If the user group profile is specified, all users (PPP sessions) use the PPP attributes specified in the user group profile.
When a PPP client enters a tunnel, the Junos OS first applies the PPP user group profile attributes and then any PPP attributes from the local or RADIUS server. The PPP attributes defined in the RADIUS or local server take precedence over the attributes defined in the user group profile.
To apply configured PPP attributes to a PPP client, include the user-group-profile statement at the [edit access profile profile-name clientclient-name] hierarchy level:
profile-name is a PPP group profile configured at the [edit access group-profile profile-name] hierarchy level. When a client enters this tunnel, it uses the user-group-profile attributes as the default attributes.
Use a wildcard client to define a user group profile:
Example: Applying a User Group Profile
CLI Quick Configuration
The following example shows how to apply a configured PPP group profile to a tunnel on the M7i or M10i router: