BSNL RURAL Wi-Max Project Department: Huawei Wireless CBSS L2TP VPN with ASN as LAC Written b !ate Re"iewe# b !ate Re"iewe# b !ate A$$ro"e# b !ate HUAW%& 'ec(nolo)ies C*+ L'!+ All ri)(ts reser"e# LAC 2014-06-06 !"#EI $on%i&ential Pa'e1( Total6 L2TP Establishment Document Security Level: Internal LAC is s(ort ,or L-'P access concentrator+ A LAC is a #e"ice wit( t(e PPP terminal sstem an# t(e L-'P $rocessin) ca$abilit an# is a #e"ice attac(e# to t(e switc(in) networ.+ &n a $ac.et switc(e# networ./ a LAC is o,ten a networ. access ser"er 0NAS1/ $ro"i#in) t(e access ser"ice ,or $ublic switc(e# tele$(one networ.2inte)rate# ser"ices #i)ital networ. 0PS'N2&S!N1 users+ &n a Worl#wi#e &ntero$erabilit ,or Microwa"e Access 3orum 0WiMA41 networ./ t(e WASN5667 acts as a LAC to $ro"i#e t(e access ser"ice ,or mobile stations 0MSs1+ LNS LNS is s(ort ,or L-'P networ. ser"er+ An LNS is a ser"er in t(e PPP terminal sstem an# is use# to $rocess t(e L-'P $ac.ets+ An LNS is o,ten an e#)e #e"ice in t(e intranet+ A LAC is locate# between an LNS an# a remote sstem suc( as an MS+ '(e LAC enca$sulates t(e $ac.ets recei"e# ,rom a remote sstem base# on L-'P an# t(en sen#s t(em to t(e LNS+ '(e LAC also #eca$sulates t(e $ac.ets recei"e# ,rom t(e LNS an# t(en sen#s t(em to t(e remote sstem+ '(e ,ollowin) #ia)ram illustrates t(e im$lementation o, t(e L-'P 8PN usin) ASN a LAC+ 9ou can create an L-'P tunnel b usin) t(e ,ollowin) met(o#s: Creatin) an L-'P tunnel base# on t(e L-'P )rou$ con,i)ure# locall 2014-06-06 !"#EI $on%i&ential Pa'e2( Total6 L2TP Establishment Document Security Level: Internal W(en t(e L-'P attributes are not con,i)ure# on t(e aut(entication ser"er but t(e #omain name carrie# in t(e user name matc(es t(e #omain name con,i)ure# in t(e L-'P )rou$ 0see SET L2TP1/ t(e WASN5667 creates an L-'P tunnel base# on t(e L-'P )rou$ con,i)ure# locall+ The same L2TP index will be defined in the ASN with the information of the LNS IP. So that whenever an account from that domain will get accepted from the fixed AAA it will dial to LNS and tr! to ma"e the tunnel.
A,ter t(e tunnel is establis(e#/ t(e WASN5667 sen#s Hello $ac.ets $erio#icall to c(ec. t(e connecti"it o, t(e tunnel+ BS + ASN-GW networking: '(e %t(ernet con"er)ence sublaer 0%t(-CS1 is 2014-06-06 !"#EI $on%i&ential Pa'e)( Total6 L2TP Establishment Document Security Level: Internal use# ,or WiMA4 access: t(e WASN5667 PPPo% #eca$sulates t(e $ac.ets to obtain t(e ori)inal PPP $ac.ets: PPP rela is su$$orte#+ '(e WASN5667/ ser"in) as t(e LAC/ L-'P enca$sulates t(e PPP $ac.ets an# sets u$ t(e L-'P connection wit( t(e LNS+ &n t(e abo"e #escribe# met(o# we are usin) two #i,,erent aut(entication: ;+ 3irst aut(entication is just to access t(e wimax networ. in %'H-CS mo#e so t(at it can not access t(e internet+ -+ secon# le"el aut(entication is re<uire# to )et t(e PPPo% user aut(enticate# ,rom t(e AAA ,or LNS ser"er+ 3irst le"el aut(entication is re<uire# because i, we b$ass t(e ,irst le"el aut(entication/ in t(at case it is a t(reat to t(e networ. as i, allow b$assin) o, t(e ,irst le"el aut(entication in t(e networ./ a smart user can misuse t(is+ But i, we are usin) t(e ,irst le"el aut(entication t(en no-one can access t(e networ. in a wron) manner as it nee# to be aut(enticate# b AAA+ So it (i)(l a#"ise# to use t(e ,irst le"el aut(entication+ Securit relate# cases:
;+ User remo"es t(e secon# user an# just use t(e ,irst user t(en also (e can not access t(e internet+ %x$lanation: i, a user remo"es t(e secon# user / t(en t(e onl ,irst le"el aut(entication will be t(ere an# (e will be just connecte# to t(e wimax networ. as (e is connecte# to t(e networ. in %'H-CS mo#e+ Moreo"er t(e ,irst le"el aut(entication is re<uire# to "eri, t(e user in t(e networ.+
-+ User remo"es t(e ,irst user an# t(en just use t(e secon# user an# tr to b$ass t(e ,irst le"el aut(entication+
%x$lanation: &, a user tr to b$ass t(e ,irst le"el aut(entication/ t(en t(e user e"en can not access t(e wimax networ. in an mo#e+ So it can not $rocee# ,urt(er+ 2014-06-06 !"#EI $on%i&ential Pa'e4( Total6 L2TP Establishment Document Security Level: Internal How t(e !ialin) will be #one= As soon as t(e P>M user will )et aut(enticate# ,rom Wi-Max AAA/ it will automaticall #ial t(e PPPo% account w(ic( is alrea# con,i)ure# in t(e CP% we (a"e )i"en t(e user name as .t-b)l-s#e;?o$eration+in an# $asswor# as @$asswor#A+ '(is user will )et #iale# a,ter aut(entication ,rom Wi-Max AAA ,or P>M user+ W(en t(is PPPo% user will )et #iale#/ CP% will )et t(e &P ,rom t(e LNS+ 3or exam$le it can )e t(e as s(own in t(e below $icture: 2014-06-06 !"#EI $on%i&ential Pa'e*( Total6 L2TP Establishment Document Security Level: Internal A,ter )ettin) t(e &P ,rom t(e LNS/ t(e user can acess t(e web $ortal be(in# t(e same BNB+ 3or exam$le t(e web $ortal ,or ma.in) t(e user ,or BSNL can be accesse#+