embedaddon/mpd/doc/mpd29.html - view

File: [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc / mpd29.html
Revision 1.1.1.4 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Mar 17 00:39:23 2021 UTC (3 years, 9 months ago) by misho
Branches: mpd, MAIN
CVS tags: v5_9p16, v5_9, HEAD

mpd 5.9

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>Authentication, Authorization and Accounting (AAA)</TITLE> </HEAD> <BODY text="#000000" bgcolor="#ffffff"> <A HREF="mpd.html">Mpd 5.9 User Manual</A> : <A HREF="mpd17.html">Configuring Mpd</A> : Authentication, Authorization and Accounting (AAA)  Previous: <A HREF="mpd28.html">Interface layer</A>  Next: <A HREF="mpd30.html">RADIUS</A> <HR NOSHADE> <H2><A NAME="29"></A>4.10. Authentication, Authorization and Accounting (AAA)<A NAME="auth"></A></H2> Mpd currently supports authentication against (tried in this order) <A HREF="mpd31.html#extauth">external script</A>, <A HREF="mpd30.html#radius">RADIUS</A>, PAM, systems password database (<code>master.passwd</code>), OPIE and internal <code>mpd.secret</code> file. This chapter describes commands that configure the Authentication subsystem of LCP layer. All of these commands apply to the currently active link.   <dl> <dt><code>set auth authname login</code><dd>This command sets the authentication login name associated with the link (in multi-link PPP, though each link is authenticated individually, they all must use the same login name). The <code>login</code> may have a corresponding entry in <code>mpd.secret</code>. The <code>login</code> and password are used when the peer requires us to authenticate ourselves. <dt><code>set auth password password</code><dd>This command is normally not necessary. It causes mpd to not lookup the password corresponding to <code>login</code> in <code>mpd.secret</code>, but rather to use <code>password</code> instead. If you're too lazy to set up <code>mpd.secret</code> and are only dialing out, you can use this command instead. <dt><code>set auth max-logins num [CI]</code><dd>Limit the max. amount of concurrent logins with the same username. If set to zero, then this feature is disabled. If CI argument is present login comparasion will be case insensitive. <dt><code>set auth acct-update seconds</code><dd>Enables periodic accounting updates, if set to a value greater then zero. <dt><code>set auth timeout seconds</code><dd>Sets the timeout for the whole authentication process. It defaults to 40 seconds. Under some circumstances the value should be changed; it usually depends on the authentication backend and protocol. E.g. when using EAP with a slow RADIUS server this value should be increased. <dt><code> set auth extauth-script script  set auth extacct-script script</code><dd>Sets scripts names for external authentication and accounting. <dt><code> set auth enable option ...  set auth disable option ...</code><dd> </dl>  The options available are:  <dl> <dt><code>internal</code><dd>Enables authentication against the <code>mpd.secret</code> file. Default <code>enable</code>. <dt><code>radius-auth</code><dd>Enable authentication via RADIUS. For details see <A HREF="mpd30.html#radius">the RADIUS chapter</A>. Default <code>disable</code>. <dt><code>radius-acct</code><dd>Enable per link accounting via RADIUS. For details see <A HREF="mpd30.html#radius">the RADIUS chapter</A>. Default <code>disable</code>. <dt><code>ext-auth</code><dd>Enable authentication by calling external script. This method pretended to be a fullfeatured alternative to the <code>radius-auth</code>. For details see <A HREF="mpd31.html#extauth">the External authentication chapter</A>. Default <code>disable</code>. <dt><code>ext-acct</code><dd>Enable accounting by calling external script. This method pretended to be a fullfeatured alternative to the <code>radius-acct</code>. For details see <A HREF="mpd31.html#extauth">the External authentication chapter</A>. Default <code>disable</code>. <dt><code>pam-auth</code><dd>Enables authentication using PAM service "mpd". This options can only be used with PAP. Default <code>disable</code>. <dt><code>pam-acct</code><dd>Enable accounting using PAM service "mpd". Default <code>disable</code>. <dt><code>system-auth</code><dd>Enables authentication against the systems password database. This options can only be used with PAP and MS-CHAP, but not with CHAP-MD5. If you intend to use this with MS-CHAP, then the passwords in the <code>master.passwd</code> must be NT-Hashes. You can enable this by putting <code>:passwd_format=nth:</code> into your <code>/etc/login.conf</code>, but you need at least FreeBSD 5.2. Default <code>disable</code>. <dt><code>system-acct</code><dd>Enable accounting via utmp/wtmp. Default <code>disable</code>. <dt><code>opie</code><dd>Enables authentication using OPIE. When using PAP there is nothing more todo. For all other authentication protocols you have to put the username into the <code>mpd.secret</code> file, but the specified password is then interpreted as secret pass phrase. This is needed, because Mpd must be aware of the plaintext password when using CHAP. The (windows) endusers could generate their actual responses themselfs using Winkey. IMPORTANT: Disable the internal authentication when using OPIE and CHAP, because otherwise users are also able to authenticate with their secret pass phrase. Default <code>disable</code>. <dt><code>acct-mandatory</code><dd>Makes accounting start mandatory. If enabled, on accounting start failure connection will be dropped. Default <code>enable</code>. </dl>  <H3>4.10.1. <A HREF="mpd30.html#30">RADIUS</A></H3> <H3>4.10.2. <A HREF="mpd31.html#31">External authentication</A></H3> <HR NOSHADE> <A HREF="mpd.html">Mpd 5.9 User Manual</A> : <A HREF="mpd17.html">Configuring Mpd</A> : Authentication, Authorization and Accounting (AAA)  Previous: <A HREF="mpd28.html">Interface layer</A>  Next: <A HREF="mpd30.html">RADIUS</A> </BODY> </HTML>