Annotation of embedaddon/mpd/doc/mpd29.html, revision 1.1.1.3

1.1       misho       1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
                      2: <HTML>
                      3: <HEAD>
                      4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
                      5: <TITLE>Authentication, Authorization and Accounting (AAA)</TITLE>
                      6: </HEAD>
                      7: <BODY text="#000000" bgcolor="#ffffff">
                      8: 
1.1.1.3 ! misho       9: <A HREF="mpd.html"><EM>Mpd 5.8 User Manual</EM></A>
1.1       misho      10:  <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
                     11:  <b>:</b> <EM>Authentication, Authorization and Accounting (AAA)</EM><BR>
                     12: <b>Previous:</b> <A HREF="mpd28.html"><EM>Interface layer</EM></A><BR>
                     13: <b>Next:</b> <A HREF="mpd30.html"><EM>RADIUS</EM></A>
                     14: 
                     15: 
                     16: <HR NOSHADE>
                     17:   <H2><A NAME="29"></A>4.10. Authentication, Authorization and Accounting (AAA)<A NAME="auth"></A></H2>
                     18: 
                     19: <p>Mpd currently supports authentication against (tried 
                     20: in this order) 
                     21: <A HREF="mpd31.html#extauth">extauth</A>,
                     22: <A HREF="mpd30.html#radius">radius</A>, PAM, systems password database 
                     23: (<code>master.passwd</code>), OPIE and internal <code>mpd.secret</code> file.</p>
                     24: <p>This chapter describes commands that configure the Authentication 
                     25: subsystem of LCP layer. All of these commands apply to the currently
                     26: active link. </p>
                     27: <p>
                     28: <dl>
                     29: 
                     30: <dt><b><code>set auth authname <em>login</em></code></b><dd><p>This command sets the authentication login name associated with
                     31: the link (in multi-link PPP, though each link is authenticated
                     32: individually, they all must use the same login name). The
                     33: <code><em>login</em></code> may have a corresponding entry in
                     34: <code>mpd.secret</code>. The <code><em>login</em></code> and password
                     35: are used when the peer requires us to authenticate ourselves.</p>
                     36: 
                     37: <dt><b><code>set auth password <em>password</em></code></b><dd><p>This command is normally not necessary. It causes mpd to <em>not</em>
                     38: lookup the password corresponding to <code><em>login</em></code>
                     39: in <code>mpd.secret</code>, but rather to use
                     40: <code><em>password</em></code> instead. If you're too lazy to set up
                     41: <code>mpd.secret</code> and are only dialing out, you can use this
                     42: command instead.</p>
                     43: 
                     44: <dt><b><code>set auth max-logins <em>num</em> [CI]</code></b><dd><p>Limit the max. amount of concurrent logins with the same username.
                     45: If set to zero, then this feature is disabled. If CI argument is present
1.1.1.3 ! misho      46: login comparasion will be case insensitive.</p>
1.1       misho      47: 
                     48: <dt><b><code>set auth acct-update <em>seconds</em></code></b><dd><p>Enables periodic accounting updates, if set to a value greater then 
                     49: zero.</p>
                     50: 
                     51: <dt><b><code>set auth timeout <em>seconds</em></code></b><dd><p>Sets the timeout for the whole authentication process.
                     52: It defaults to 40 seconds. 
                     53: Under some circumstances the value should be changed; it usually 
                     54: depends on the authentication backend and protocol.
                     55: E.g. when using EAP with a slow RADIUS server this value should be increased.</p>
                     56: 
                     57: <dt><b><code><br>set auth extauth-script <em>script</em><br>
                     58: set auth extacct-script <em>script</em></code></b><dd><p>Sets scripts names for external authentication and accounting.</p>
                     59: 
                     60: <dt><b><code><br>set auth enable <em>option ...</em><br>
                     61: set auth disable <em>option ...</em></code></b><dd>
                     62: </dl>
                     63: </p>
                     64: 
                     65: 
                     66: <p>The options available are:</p>
                     67: <p>
                     68: <dl>
                     69: 
                     70: <dt><b><code>internal</code></b><dd><p>Enables authentication against the <code>mpd.secret</code> file.</p>
                     71: <p>Default <code><b>enable</b></code>.</p>
                     72: 
                     73: <dt><b><code>radius-auth</code></b><dd><p>Enable authentication via RADIUS. For details see
                     74: <A HREF="mpd30.html#radius">radius</A>.</p>
                     75: <p>Default <code><b>disable</b></code>.</p>
                     76: 
                     77: <dt><b><code>radius-acct</code></b><dd><p>Enable per link accounting via RADIUS. For details see
                     78: <A HREF="mpd30.html#radius">radius</A>.</p>
                     79: <p>Default <code><b>disable</b></code>.</p>
                     80: 
                     81: <dt><b><code>ext-auth</code></b><dd><p>Enable authentication by calling external script.
                     82: This method pretended to be a fullfeatured alternative to the 
                     83: <code><b>radius-auth</b></code>. For details see
                     84: <A HREF="mpd31.html#extauth">extauth</A>.</p>
                     85: <p>Default <code><b>disable</b></code>.</p>
                     86: 
                     87: <dt><b><code>ext-acct</code></b><dd><p>Enable accounting by calling external script.
                     88: This method pretended to be a fullfeatured alternative to the 
                     89: <code><b>radius-acct</b></code>. For details see
                     90: <A HREF="mpd31.html#extauth">extauth</A>.</p>
                     91: <p>Default <code><b>disable</b></code>.</p>
                     92: 
                     93: <dt><b><code>pam-auth</code></b><dd><p>Enables authentication using PAM service "mpd".
                     94: This options can only be used with PAP.</p>
                     95: <p>Default <code><b>disable</b></code>.</p>
                     96: 
                     97: <dt><b><code>pam-acct</code></b><dd><p>Enable accounting using PAM service "mpd".</p>
                     98: <p>Default <code><b>disable</b></code>.</p>
                     99: 
                    100: <dt><b><code>system-auth</code></b><dd><p>Enables authentication against the systems password database.
                    101: This options can only be used with PAP and MS-CHAP, but not 
                    102: with CHAP-MD5. If you intend to use this with MS-CHAP, then 
                    103: the passwords in the <code>master.passwd</code> must be NT-Hashes.
                    104: You can enable this by putting <code>:passwd_format=nth:</code> into 
                    105: your <code>/etc/login.conf</code>, but you need at least FreeBSD 5.2.</p>
                    106: <p>Default <code><b>disable</b></code>.</p>
                    107: 
                    108: <dt><b><code>system-acct</code></b><dd><p>Enable accounting via utmp/wtmp.</p>
                    109: <p>Default <code><b>disable</b></code>.</p>
                    110: 
                    111: <dt><b><code>opie</code></b><dd><p>Enables authentication using OPIE.
                    112: When using PAP there is nothing more todo. For all other 
                    113: authentication protocols you have to put the username into 
                    114: the <code>mpd.secret</code> file, but the specified password is 
                    115: then interpreted as secret pass phrase. This is needed, because
                    116: Mpd must be aware of the plaintext password when using CHAP.
                    117: The (windows) endusers could generate their actual responses 
                    118: themselfs using Winkey.<br>
                    119: <b>IMPORTANT</b>: Disable the internal authentication when using 
                    120: OPIE and CHAP, because otherwise users are also able to authenticate 
                    121: with their secret pass phrase.</p>
                    122: <p>Default <code><b>disable</b></code>.</p>
                    123: 
                    124: <dt><b><code>acct-mandatory</code></b><dd><p>Makes accounting start mandatory. If enabled, on accounting start failure 
                    125: connection will be dropped.</p>
                    126: <p>Default <code><b>enable</b></code>.</p>
                    127: 
                    128: </dl>
                    129: </p>
                    130: <H3>4.10.1. <A HREF="mpd30.html#30">RADIUS</A></H3>
                    131: <H3>4.10.2. <A HREF="mpd31.html#31">External authentication</A></H3>
                    132:  <HR NOSHADE>
1.1.1.3 ! misho     133: <A HREF="mpd.html"><EM>Mpd 5.8 User Manual</EM></A>
1.1       misho     134:  <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
                    135:  <b>:</b> <EM>Authentication, Authorization and Accounting (AAA)</EM><BR>
                    136: <b>Previous:</b> <A HREF="mpd28.html"><EM>Interface layer</EM></A><BR>
                    137: <b>Next:</b> <A HREF="mpd30.html"><EM>RADIUS</EM></A>
                    138: 
                    139: 
                    140: 
                    141: </BODY>
                    142: </HTML>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>