Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Access Profiles for L2TP or PPP Parameters

To validate Layer 2 Tunneling Protocol (L2TP) connections and session requests, you set up access profiles by configuring the profile statement at the [edit access] hierarchy level. You can configure multiple profiles. You can also configure multiple clients for each profile.

Tasks for configuring the access profile are:

Configuring the Access Profile

To configure the profile, include the profile statement at the [edit access] hierarchy level:

profile-name is the name assigned to the profile.

Note:

The group-profile statement overrides the user-group-profile statement, which is configured at the [edit access profile profile-name] hierarchy level. The profile statement overrides the attributes configured at the [edit access group-profile profile-name] hierarchy level. For information about the user-group-profile statement, see Configuring the Group Profile for L2TP and PPP.

When you configure a profile, you can only configure either L2TP or PPP parameters. You cannot configure both at the same time.

Configuring the L2TP Properties for a Profile

To configure the Layer 2 Tunneling Protocol (L2TP) properties for a profile, include the following statements at the [edit access profile profile-name] hierarchy level:

Configuring the PPP Properties for a Profile

To configure the PPP properties for a profile, include the following statements at the [edit access profile profile-name] hierarchy level:

Note:

When you configure PPP properties for a profile, you typically configure the chap-secret statement or pap-password statement.

Configuring the Authentication Order

You can configure the order in which the Junos OS tries different authentication methods when authenticating peers. For each access attempt, the software tries the authentication methods in order, from first to last.

To configure the authentication order, include the authentication-order statement at the [edit access profile profile-name] hierarchy level:

In authentication-methods, specify one or more of the following in the preferred order, from first tried to last tried:

  • radius—Verify the client using RADIUS authentication services.

  • password—Verify the client using the information configured at the [edit access profile profile-name client client-name] hierarchy level.

    Note:

    When you configure the authentication methods for L2TP, only the first configured authentication method is used.

For L2TP, RADIUS authentication servers are configured at the [edit access radius-server] hierarchy level. For more information about configuring RADIUS authentication servers, see Configuring RADIUS Authentication for L2TP.

If you do not include the authentication-order statement, clients are verified by means of password authentication.

Configuring the Accounting Order

You can configure RADIUS accounting for an L2TP profile.

With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC 2866.

To configure RADIUS accounting, include the accounting-order statement at the [edit access profile profile-name] hierarchy level:

When you enable RADIUS accounting for an L2TP profile, it applies to all the clients within that profile. You must enable RADIUS accounting on at least one LT2P profile for the RADIUS authentication server to send accounting stop and start messages.

Note:

When you enable RADIUS accounting for an L2TP profile, you do not need to configure the accounting-port statement at the [edit access radius-server server-address] hierarchy level. When you enable RADIUS accounting for an L2TP profile, accounting is triggered on the default port of 1813.

For L2TP, RADIUS authentication servers are configured at the [edit access radius-server] hierarchy level.

Example: Access Profile Configuration

The following example shows a configuration of an access profile: