[BACK]Return to mpd29.html CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc / mpd29.html
Revision 1.1.1.4 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Mar 17 00:39:23 2021 UTC (3 years, 3 months ago) by misho
Branches: mpd, MAIN
CVS tags: v5_9p16, v5_9, HEAD
mpd 5.9

    1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
    2: <HTML>
    3: <HEAD>
    4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
    5: <TITLE>Authentication, Authorization and Accounting (AAA)</TITLE>
    6: </HEAD>
    7: <BODY text="#000000" bgcolor="#ffffff">
    8: 
    9: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
   10:  <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
   11:  <b>:</b> <EM>Authentication, Authorization and Accounting (AAA)</EM><BR>
   12: <b>Previous:</b> <A HREF="mpd28.html"><EM>Interface layer</EM></A><BR>
   13: <b>Next:</b> <A HREF="mpd30.html"><EM>RADIUS</EM></A>
   14: 
   15: 
   16: <HR NOSHADE>
   17:   <H2><A NAME="29"></A>4.10. Authentication, Authorization and Accounting (AAA)<A NAME="auth"></A></H2>
   18: 
   19: <p>Mpd currently supports authentication against (tried 
   20: in this order) 
   21: <A HREF="mpd31.html#extauth">external script</A>,
   22: <A HREF="mpd30.html#radius">RADIUS</A>, PAM, systems password database 
   23: (<code>master.passwd</code>), OPIE and internal <code>mpd.secret</code> file.</p>
   24: <p>This chapter describes commands that configure the Authentication 
   25: subsystem of LCP layer. All of these commands apply to the currently
   26: active link. </p>
   27: <p>
   28: <dl>
   29: 
   30: <dt><b><code>set auth authname <em>login</em></code></b><dd><p>This command sets the authentication login name associated with
   31: the link (in multi-link PPP, though each link is authenticated
   32: individually, they all must use the same login name). The
   33: <code><em>login</em></code> may have a corresponding entry in
   34: <code>mpd.secret</code>. The <code><em>login</em></code> and password
   35: are used when the peer requires us to authenticate ourselves.</p>
   36: 
   37: <dt><b><code>set auth password <em>password</em></code></b><dd><p>This command is normally not necessary. It causes mpd to <em>not</em>
   38: lookup the password corresponding to <code><em>login</em></code>
   39: in <code>mpd.secret</code>, but rather to use
   40: <code><em>password</em></code> instead. If you're too lazy to set up
   41: <code>mpd.secret</code> and are only dialing out, you can use this
   42: command instead.</p>
   43: 
   44: <dt><b><code>set auth max-logins <em>num</em> [CI]</code></b><dd><p>Limit the max. amount of concurrent logins with the same username.
   45: If set to zero, then this feature is disabled. If CI argument is present
   46: login comparasion will be case insensitive.</p>
   47: 
   48: <dt><b><code>set auth acct-update <em>seconds</em></code></b><dd><p>Enables periodic accounting updates, if set to a value greater then 
   49: zero.</p>
   50: 
   51: <dt><b><code>set auth timeout <em>seconds</em></code></b><dd><p>Sets the timeout for the whole authentication process.
   52: It defaults to 40 seconds. 
   53: Under some circumstances the value should be changed; it usually 
   54: depends on the authentication backend and protocol.
   55: E.g. when using EAP with a slow RADIUS server this value should be increased.</p>
   56: 
   57: <dt><b><code><br>set auth extauth-script <em>script</em><br>
   58: set auth extacct-script <em>script</em></code></b><dd><p>Sets scripts names for external authentication and accounting.</p>
   59: 
   60: <dt><b><code><br>set auth enable <em>option ...</em><br>
   61: set auth disable <em>option ...</em></code></b><dd>
   62: </dl>
   63: </p>
   64: 
   65: 
   66: <p>The options available are:</p>
   67: <p>
   68: <dl>
   69: 
   70: <dt><b><code>internal</code></b><dd><p>Enables authentication against the <code>mpd.secret</code> file.</p>
   71: <p>Default <code><b>enable</b></code>.</p>
   72: 
   73: <dt><b><code>radius-auth</code></b><dd><p>Enable authentication via RADIUS. For details see
   74: <A HREF="mpd30.html#radius">the RADIUS chapter</A>.</p>
   75: <p>Default <code><b>disable</b></code>.</p>
   76: 
   77: <dt><b><code>radius-acct</code></b><dd><p>Enable per link accounting via RADIUS. For details see
   78: <A HREF="mpd30.html#radius">the RADIUS chapter</A>.</p>
   79: <p>Default <code><b>disable</b></code>.</p>
   80: 
   81: <dt><b><code>ext-auth</code></b><dd><p>Enable authentication by calling external script.
   82: This method pretended to be a fullfeatured alternative to the 
   83: <code><b>radius-auth</b></code>. For details see
   84: <A HREF="mpd31.html#extauth">the External authentication chapter</A>.</p>
   85: <p>Default <code><b>disable</b></code>.</p>
   86: 
   87: <dt><b><code>ext-acct</code></b><dd><p>Enable accounting by calling external script.
   88: This method pretended to be a fullfeatured alternative to the 
   89: <code><b>radius-acct</b></code>. For details see
   90: <A HREF="mpd31.html#extauth">the External authentication chapter</A>.</p>
   91: <p>Default <code><b>disable</b></code>.</p>
   92: 
   93: <dt><b><code>pam-auth</code></b><dd><p>Enables authentication using PAM service "mpd".
   94: This options can only be used with PAP.</p>
   95: <p>Default <code><b>disable</b></code>.</p>
   96: 
   97: <dt><b><code>pam-acct</code></b><dd><p>Enable accounting using PAM service "mpd".</p>
   98: <p>Default <code><b>disable</b></code>.</p>
   99: 
  100: <dt><b><code>system-auth</code></b><dd><p>Enables authentication against the systems password database.
  101: This options can only be used with PAP and MS-CHAP, but not 
  102: with CHAP-MD5. If you intend to use this with MS-CHAP, then 
  103: the passwords in the <code>master.passwd</code> must be NT-Hashes.
  104: You can enable this by putting <code>:passwd_format=nth:</code> into 
  105: your <code>/etc/login.conf</code>, but you need at least FreeBSD 5.2.</p>
  106: <p>Default <code><b>disable</b></code>.</p>
  107: 
  108: <dt><b><code>system-acct</code></b><dd><p>Enable accounting via utmp/wtmp.</p>
  109: <p>Default <code><b>disable</b></code>.</p>
  110: 
  111: <dt><b><code>opie</code></b><dd><p>Enables authentication using OPIE.
  112: When using PAP there is nothing more todo. For all other 
  113: authentication protocols you have to put the username into 
  114: the <code>mpd.secret</code> file, but the specified password is 
  115: then interpreted as secret pass phrase. This is needed, because
  116: Mpd must be aware of the plaintext password when using CHAP.
  117: The (windows) endusers could generate their actual responses 
  118: themselfs using Winkey.<br>
  119: <b>IMPORTANT</b>: Disable the internal authentication when using 
  120: OPIE and CHAP, because otherwise users are also able to authenticate 
  121: with their secret pass phrase.</p>
  122: <p>Default <code><b>disable</b></code>.</p>
  123: 
  124: <dt><b><code>acct-mandatory</code></b><dd><p>Makes accounting start mandatory. If enabled, on accounting start failure 
  125: connection will be dropped.</p>
  126: <p>Default <code><b>enable</b></code>.</p>
  127: 
  128: </dl>
  129: </p>
  130: <H3>4.10.1. <A HREF="mpd30.html#30">RADIUS</A></H3>
  131: <H3>4.10.2. <A HREF="mpd31.html#31">External authentication</A></H3>
  132:  <HR NOSHADE>
  133: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
  134:  <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
  135:  <b>:</b> <EM>Authentication, Authorization and Accounting (AAA)</EM><BR>
  136: <b>Previous:</b> <A HREF="mpd28.html"><EM>Interface layer</EM></A><BR>
  137: <b>Next:</b> <A HREF="mpd30.html"><EM>RADIUS</EM></A>
  138: 
  139: 
  140: 
  141: </BODY>
  142: </HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>