Annotation of embedaddon/mpd/doc/mpd29.html, revision 1.1.1.4
1.1 misho 1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2: <HTML>
3: <HEAD>
4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
5: <TITLE>Authentication, Authorization and Accounting (AAA)</TITLE>
6: </HEAD>
7: <BODY text="#000000" bgcolor="#ffffff">
8:
1.1.1.4 ! misho 9: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
1.1 misho 10: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
11: <b>:</b> <EM>Authentication, Authorization and Accounting (AAA)</EM><BR>
12: <b>Previous:</b> <A HREF="mpd28.html"><EM>Interface layer</EM></A><BR>
13: <b>Next:</b> <A HREF="mpd30.html"><EM>RADIUS</EM></A>
14:
15:
16: <HR NOSHADE>
17: <H2><A NAME="29"></A>4.10. Authentication, Authorization and Accounting (AAA)<A NAME="auth"></A></H2>
18:
19: <p>Mpd currently supports authentication against (tried
20: in this order)
1.1.1.4 ! misho 21: <A HREF="mpd31.html#extauth">external script</A>,
! 22: <A HREF="mpd30.html#radius">RADIUS</A>, PAM, systems password database
1.1 misho 23: (<code>master.passwd</code>), OPIE and internal <code>mpd.secret</code> file.</p>
24: <p>This chapter describes commands that configure the Authentication
25: subsystem of LCP layer. All of these commands apply to the currently
26: active link. </p>
27: <p>
28: <dl>
29:
30: <dt><b><code>set auth authname <em>login</em></code></b><dd><p>This command sets the authentication login name associated with
31: the link (in multi-link PPP, though each link is authenticated
32: individually, they all must use the same login name). The
33: <code><em>login</em></code> may have a corresponding entry in
34: <code>mpd.secret</code>. The <code><em>login</em></code> and password
35: are used when the peer requires us to authenticate ourselves.</p>
36:
37: <dt><b><code>set auth password <em>password</em></code></b><dd><p>This command is normally not necessary. It causes mpd to <em>not</em>
38: lookup the password corresponding to <code><em>login</em></code>
39: in <code>mpd.secret</code>, but rather to use
40: <code><em>password</em></code> instead. If you're too lazy to set up
41: <code>mpd.secret</code> and are only dialing out, you can use this
42: command instead.</p>
43:
44: <dt><b><code>set auth max-logins <em>num</em> [CI]</code></b><dd><p>Limit the max. amount of concurrent logins with the same username.
45: If set to zero, then this feature is disabled. If CI argument is present
1.1.1.3 misho 46: login comparasion will be case insensitive.</p>
1.1 misho 47:
48: <dt><b><code>set auth acct-update <em>seconds</em></code></b><dd><p>Enables periodic accounting updates, if set to a value greater then
49: zero.</p>
50:
51: <dt><b><code>set auth timeout <em>seconds</em></code></b><dd><p>Sets the timeout for the whole authentication process.
52: It defaults to 40 seconds.
53: Under some circumstances the value should be changed; it usually
54: depends on the authentication backend and protocol.
55: E.g. when using EAP with a slow RADIUS server this value should be increased.</p>
56:
57: <dt><b><code><br>set auth extauth-script <em>script</em><br>
58: set auth extacct-script <em>script</em></code></b><dd><p>Sets scripts names for external authentication and accounting.</p>
59:
60: <dt><b><code><br>set auth enable <em>option ...</em><br>
61: set auth disable <em>option ...</em></code></b><dd>
62: </dl>
63: </p>
64:
65:
66: <p>The options available are:</p>
67: <p>
68: <dl>
69:
70: <dt><b><code>internal</code></b><dd><p>Enables authentication against the <code>mpd.secret</code> file.</p>
71: <p>Default <code><b>enable</b></code>.</p>
72:
73: <dt><b><code>radius-auth</code></b><dd><p>Enable authentication via RADIUS. For details see
1.1.1.4 ! misho 74: <A HREF="mpd30.html#radius">the RADIUS chapter</A>.</p>
1.1 misho 75: <p>Default <code><b>disable</b></code>.</p>
76:
77: <dt><b><code>radius-acct</code></b><dd><p>Enable per link accounting via RADIUS. For details see
1.1.1.4 ! misho 78: <A HREF="mpd30.html#radius">the RADIUS chapter</A>.</p>
1.1 misho 79: <p>Default <code><b>disable</b></code>.</p>
80:
81: <dt><b><code>ext-auth</code></b><dd><p>Enable authentication by calling external script.
82: This method pretended to be a fullfeatured alternative to the
83: <code><b>radius-auth</b></code>. For details see
1.1.1.4 ! misho 84: <A HREF="mpd31.html#extauth">the External authentication chapter</A>.</p>
1.1 misho 85: <p>Default <code><b>disable</b></code>.</p>
86:
87: <dt><b><code>ext-acct</code></b><dd><p>Enable accounting by calling external script.
88: This method pretended to be a fullfeatured alternative to the
89: <code><b>radius-acct</b></code>. For details see
1.1.1.4 ! misho 90: <A HREF="mpd31.html#extauth">the External authentication chapter</A>.</p>
1.1 misho 91: <p>Default <code><b>disable</b></code>.</p>
92:
93: <dt><b><code>pam-auth</code></b><dd><p>Enables authentication using PAM service "mpd".
94: This options can only be used with PAP.</p>
95: <p>Default <code><b>disable</b></code>.</p>
96:
97: <dt><b><code>pam-acct</code></b><dd><p>Enable accounting using PAM service "mpd".</p>
98: <p>Default <code><b>disable</b></code>.</p>
99:
100: <dt><b><code>system-auth</code></b><dd><p>Enables authentication against the systems password database.
101: This options can only be used with PAP and MS-CHAP, but not
102: with CHAP-MD5. If you intend to use this with MS-CHAP, then
103: the passwords in the <code>master.passwd</code> must be NT-Hashes.
104: You can enable this by putting <code>:passwd_format=nth:</code> into
105: your <code>/etc/login.conf</code>, but you need at least FreeBSD 5.2.</p>
106: <p>Default <code><b>disable</b></code>.</p>
107:
108: <dt><b><code>system-acct</code></b><dd><p>Enable accounting via utmp/wtmp.</p>
109: <p>Default <code><b>disable</b></code>.</p>
110:
111: <dt><b><code>opie</code></b><dd><p>Enables authentication using OPIE.
112: When using PAP there is nothing more todo. For all other
113: authentication protocols you have to put the username into
114: the <code>mpd.secret</code> file, but the specified password is
115: then interpreted as secret pass phrase. This is needed, because
116: Mpd must be aware of the plaintext password when using CHAP.
117: The (windows) endusers could generate their actual responses
118: themselfs using Winkey.<br>
119: <b>IMPORTANT</b>: Disable the internal authentication when using
120: OPIE and CHAP, because otherwise users are also able to authenticate
121: with their secret pass phrase.</p>
122: <p>Default <code><b>disable</b></code>.</p>
123:
124: <dt><b><code>acct-mandatory</code></b><dd><p>Makes accounting start mandatory. If enabled, on accounting start failure
125: connection will be dropped.</p>
126: <p>Default <code><b>enable</b></code>.</p>
127:
128: </dl>
129: </p>
130: <H3>4.10.1. <A HREF="mpd30.html#30">RADIUS</A></H3>
131: <H3>4.10.2. <A HREF="mpd31.html#31">External authentication</A></H3>
132: <HR NOSHADE>
1.1.1.4 ! misho 133: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
1.1 misho 134: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
135: <b>:</b> <EM>Authentication, Authorization and Accounting (AAA)</EM><BR>
136: <b>Previous:</b> <A HREF="mpd28.html"><EM>Interface layer</EM></A><BR>
137: <b>Next:</b> <A HREF="mpd30.html"><EM>RADIUS</EM></A>
138:
139:
140:
141: </BODY>
142: </HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>