Annotation of embedaddon/mpd/doc/mpd30.html, revision 1.1
1.1 ! misho 1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
! 2: <HTML>
! 3: <HEAD>
! 4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
! 5: <TITLE>RADIUS</TITLE>
! 6: </HEAD>
! 7: <BODY text="#000000" bgcolor="#ffffff">
! 8:
! 9: <A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A>
! 10: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
! 11: <b>:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A>
! 12: <b>:</b> <EM>RADIUS</EM><BR>
! 13: <b>Previous:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A><BR>
! 14: <b>Next:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A>
! 15:
! 16:
! 17: <HR NOSHADE>
! 18: <H2><A NAME="30"></A>4.10.1. RADIUS<A NAME="radius"></A></H2>
! 19:
! 20: <p>This chapter describes RADIUS authentication backend.
! 21: Mpd supports both user authentication and session accounting using RADIUS.
! 22: RADIUS-Accounting and RADIUS-Authentication are independant so it is possible
! 23: to use them in any combination.</p>
! 24: <p>All authentication methods are supported with RADIUS (PAP, CHAP, MS-CHAPv1,
! 25: MS-CHAPv2, EAP). Password changing is currently not supported.</p>
! 26: <p>All of these commands apply to the currently active link.</p>
! 27: <p>
! 28: <dl>
! 29:
! 30: <dt><b><code>set radius server <em>name</em> <em>secret</em> [ <em>auth-port</em> [ <em>acct-port</em> ]]</code></b><dd><p>Configure RADIUS server parameters. Multiple RADIUS servers may be configured
! 31: by repeating this command, and up to 10 servers may be specified.
! 32: If one of auth/acct ports specified as 0, it will not be used for requests
! 33: of that type.</p>
! 34:
! 35: <dt><b><code>set radius timeout <em>seconds</em></code></b><dd><p>Set the timeout for completion of RADIUS requests.</p>
! 36: <p>The default is 5 second.</p>
! 37:
! 38: <dt><b><code>set radius retries <em>#retries</em></code></b><dd><p>Set the number of retries for RADIUS requests.</p>
! 39: <p>The default is 3 retries.</p>
! 40:
! 41: <dt><b><code>set radius me <em>IP</em>|<em>ifname</em>|<em>hostname</em></code></b><dd><p>Send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.</p>
! 42:
! 43: <dt><b><code>set radius v6me <em>IPv6</em></code></b><dd><p>Send the given IP in the RAD_NAS_IPV6_ADDRESS attribute to the server.</p>
! 44:
! 45: <dt><b><code>set radius identifier <em>name</em></code></b><dd><p>Send the given name in the RAD_NAS_IDENTIFIER attribute to the server.
! 46: If not set the local hostname is used.</p>
! 47:
! 48: <dt><b><code>set radius enable message-authentic</code></b><dd><p>Adds the Message-Authenticator attribute to the RADIUS request.
! 49: The Message-Authenticator is an HMAC-MD5 checksum of the entire
! 50: Access-Request packet using the shared secret as the key. This
! 51: should protect the RADIUS server against online dictionary attacks.
! 52: This is mandatory when using the EAP-RADIUS-Proxy and it's implicitly
! 53: added to the request by Mpd.</p>
! 54:
! 55: <dt><b>RADIUS internals</b><dd>
! 56: <p>RADIUS attributes supported by mpd:
! 57: <pre>
! 58: N Name Access Accounting
! 59: Req Resp Req Resp
! 60: 1 User-Name + + + -
! 61: 2 User-Password + - - -
! 62: 3 CHAP-Password + - - -
! 63: 4 NAS-IP-Address + - + -
! 64: 5 NAS-Port + - + -
! 65: 6 Service-Type + - + -
! 66: 7 Framed-Protocol + - + -
! 67: 8 Framed-IP-Address - + + -
! 68: 9 Framed-IP-Netmask - + + -
! 69: 12 Framed-MTU - + - -
! 70: 13 Framed-Compression - + - -
! 71: 18 Reply-Message - + - -
! 72: 22 Framed-Route - + - -
! 73: 24 State + + + -
! 74: 25 Class - + + -
! 75: 27 Session-Timeout - + - -
! 76: 28 Idle-Timeout - + - -
! 77: 30 Called-Station-Id + - + -
! 78: 31 Calling-Station-Id + - + -
! 79: 32 NAS-Identifier + - + -
! 80: 40 Acct-Status-Type - - + -
! 81: 42 Acct-Input-Octets - - + -
! 82: 43 Acct-Output-Octets - - + -
! 83: 44 Acct-Session-Id + - + -
! 84: 45 Acct-Authentic - - + -
! 85: 46 Acct-Session-Time - - + -
! 86: 47 Acct-Input-Packets - - + -
! 87: 48 Acct-Output-Packets - - + -
! 88: 49 Acct-Terminate-Cause - - + -
! 89: 50 Acct-Multi-Session-Id - - + -
! 90: 51 Acct-Link-Count - - + -
! 91: 52 Acct-Input-Gigawords - - + -
! 92: 53 Acct-Output-Gigawords - - + -
! 93: 60 CHAP-Challenge + - - -
! 94: 61 NAS-Port-Type + - + -
! 95: 64 Tunnel-Type + - + -
! 96: 65 Tunnel-Medium-Type + - + -
! 97: 66 Tunnel-Client-Endpoint + - + -
! 98: 67 Tunnel-Server-Endpoint + - + -
! 99: 85 Acct-Interim-Interval - + - -
! 100: 87 NAS-Port-Id + - + -
! 101: 88 Framed-Pool - + - -
! 102: 90 Tunnel-Client-Auth-ID + - + -
! 103: 91 Tunnel-Server-Auth-ID + - + -
! 104: 95 NAS-IPv6-Address + - + -
! 105: 99 Framed-IPv6-Route - + - -
! 106:
! 107: Microsoft VSA (311)
! 108: 1 MS-CHAP-Response + - - -
! 109: 2 MS-CHAP-Error - + - -
! 110: 7 MS-MPPE-Encryption-Policy - + - -
! 111: 8 MS-MPPE-Encryption-Types - + - -
! 112: 10 MS-CHAP-Domain - + - -
! 113: 11 MS-CHAP-Challenge + - - -
! 114: 12 MS-CHAP-MPPE-Keys - + - -
! 115: 16 MS-MPPE-Send-Key - + - -
! 116: 17 MS-MPPE-Recv-Key - + - -
! 117: 25 MS-CHAP2-Response + - - -
! 118: 26 MS-CHAP2-Success - + - -
! 119: 28 MS-Primary-DNS-Server - + - -
! 120: 29 MS-Secondary-DNS-Server - + - -
! 121: 30 MS-Primary-NBNS-Server - + - -
! 122: 31 MS-Secondary-NBNS-Server - + - -
! 123:
! 124: DSL Forum VSA (3561)
! 125: 1 ADSL-Agent-Circuit-Id + - + -
! 126: 2 ADSL-Agent-Remote-Id + - + -
! 127:
! 128: mpd VSA (12341)
! 129: 1 mpd-rule - + - -
! 130: 2 mpd-pipe - + - -
! 131: 3 mpd-queue - + - -
! 132: 4 mpd-table - + - -
! 133: 5 mpd-table-static - + - -
! 134: 6 mpd-filter - + - -
! 135: 7 mpd-limit - + - -
! 136: 8 mpd-input-octets - - + -
! 137: 9 mpd-input-packets - - + -
! 138: 10 mpd-output-octets - - + -
! 139: 11 mpd-output-packets - - + -
! 140: 12 mpd-link + - + -
! 141: 13 mpd-bundle - - + -
! 142: 14 mpd-iface - - + -
! 143: 15 mpd-iface-index - - + -
! 144: 16 mpd-input-acct - + - -
! 145: 17 mpd-output-acct - + - -
! 146: 18 mpd-action - + - -
! 147: 19 mpd-peer-ident + - + -
! 148: 20 mpd-iface-name - + - -
! 149: 21 mpd-iface-descr - + - -
! 150: 22 mpd-iface-group - + - -
! 151: 154 mpd-drop-user - - - +
! 152: </pre>
! 153: </p>
! 154: <p>To use mpd VSA you should add such dictionary to your RADIUS server:
! 155: <pre>
! 156: #----------------------------------------------------------
! 157: # dictionary.mpd
! 158:
! 159: VENDOR mpd 12341
! 160:
! 161: BEGIN-VENDOR mpd
! 162:
! 163: ATTRIBUTE mpd-rule 1 string
! 164: ATTRIBUTE mpd-pipe 2 string
! 165: ATTRIBUTE mpd-queue 3 string
! 166: ATTRIBUTE mpd-table 4 string
! 167: ATTRIBUTE mpd-table-static 5 string
! 168: ATTRIBUTE mpd-filter 6 string
! 169: ATTRIBUTE mpd-limit 7 string
! 170: ATTRIBUTE mpd-input-octets 8 string
! 171: ATTRIBUTE mpd-input-packets 9 string
! 172: ATTRIBUTE mpd-output-octets 10 string
! 173: ATTRIBUTE mpd-output-packets 11 string
! 174: ATTRIBUTE mpd-link 12 string
! 175: ATTRIBUTE mpd-bundle 13 string
! 176: ATTRIBUTE mpd-iface 14 string
! 177: ATTRIBUTE mpd-iface-index 15 integer
! 178: ATTRIBUTE mpd-input-acct 16 string
! 179: ATTRIBUTE mpd-output-acct 17 string
! 180: ATTRIBUTE mpd-action 18 string
! 181: ATTRIBUTE mpd-peer-ident 19 string
! 182: ATTRIBUTE mpd-iface-name 20 string
! 183: ATTRIBUTE mpd-iface-descr 21 string
! 184: ATTRIBUTE mpd-iface-group 22 string
! 185: ATTRIBUTE mpd-drop-user 154 integer
! 186:
! 187: END-VENDOR mpd
! 188: #----------------------------------------------------------
! 189: </pre>
! 190: </p>
! 191: <p>Mpd allows RADIUS server to terminate user session by setting vendor specific
! 192: mpd-drop-user attribute to nonzero value in accounting start/update reply packet.</p>
! 193:
! 194: <dt><b>RADIUS ACL's</b><dd>
! 195: <p>Mpd can use the Access Control Lists (ACLs) given by the RADIUS server.
! 196: This ACLs may include ipfw rules, pipes, queues and tables and also mpd
! 197: internal traffic filtering/shaping/limiting features. That two sets are
! 198: redundant. ipfw proposed as standard and universal solution, while internal
! 199: filter/shaper/limiter based on ng_bpf+ng_car expected to work faster with
! 200: big number of active links.</p>
! 201:
! 202: <dt><b>ipfw</b><dd>
! 203: <p>You can write in your RADIUS configuration something like:
! 204: <pre>
! 205: mpd-table += "1=10.0.0.1",
! 206: mpd-table += "1=10.0.0.15",
! 207: mpd-pipe += "1=bw 10Kbyte/s",
! 208: mpd-pipe += "5=bw 20Kbyte/s",
! 209: mpd-rule += "1=pipe %p1 all from any to table\\(%t1\\) in",
! 210: mpd-rule += "2=pipe %p5 all from table\\(%t1\\) to any out",
! 211: mpd-rule += "100=allow all from any to any",
! 212: </pre>
! 213: </p>
! 214: <p>When mpd receives these parameters it will call ipfw(8) to create
! 215: firewall rules, pipes and queues with unique numbers starting from 10000
! 216: (configurable via 'set global start...'). %rX, %pX, %qX, %tX
! 217: macroses will be expanded within mpd-rule and mpd-queue.
! 218: To the end of each rule will be added "via ngX" to make the rule apply
! 219: only to that client's networking interface.</p>
! 220: <p>As a result of this example we would get these commands executed:
! 221: <pre>
! 222: ipfw table 32 add 10.0.0.1
! 223: ipfw table 32 add 10.0.0.15
! 224: ipfw pipe 10000 config bw 10Kbyte/s
! 225: ipfw pipe 10001 config bw 20Kbyte/s
! 226: ipfw add 10000 pipe 10000 all from any to table\(32\) in via ng0
! 227: ipfw add 10001 pipe 10001 all from table\(32\) to any out via ng0
! 228: ipfw add 10002 allow all from any to any via ng0
! 229: </pre>
! 230:
! 231: When the link goes down, all created rules will be removed.</p>
! 232: <p>Note: As soon as mpd executes ipfw commands using shell, shell's
! 233: special characters like "(" and ")" must be slashed.</p>
! 234:
! 235: <dt><b>internal (ng_bpf/ng_car)</b><dd>
! 236: <p>Mpd can create complex per-interface traffic filtering/limiting engines inside
! 237: netgraph when it is requested by mpd-filter and mpd-limit RADIUS attributes.</p>
! 238: <p>mpd-filter attribute is a packet filter declaration for using in mpd-limit.
! 239: mpd-filter consists of two main parts: match/nomatch verdict and the condition.
! 240: tcpdump (libpcap) expression syntax used for conditions.</p>
! 241: <p>mpd-filter: <em>match</em>|<em>nomatch</em> <em>{condition}</em></p>
! 242: <p>mpd-limit attribute is an action which should be done for packet. It consists
! 243: of two main parts: filter and action. </p>
! 244: <p>mpd-limit: <em>{filter}</em> <em>{action}</em></p>
! 245: <p>Filter can be or "all" (any packet) or "fltX"
! 246: (packets matching to specified mpd-filter).</p>
! 247: <p>filter: <em>any</em>|<em>fltX</em></p>
! 248: <p>Action can be: "" (do nothing, just account),
! 249: "pass" (stop processing and pass packet),
! 250: "deny" (stop processing and drop packet),
! 251: "rate-limit" (do Cisco-like rate-limit),
! 252: "shape" (do simple RED aware traffic shaping). </p>
! 253: <p>Actions "rate-limit" and "shape" can have optional "pass" suffix
! 254: to stop processing after doing this action.</p>
! 255: <p>action: <em></em> | <em>pass</em> | <em>deny</em> |
! 256: <em>rate-limit</em> <em>{rate(bits/s)}</em> [<em>{normal burst(bytes)}</em> [<em>{extended burst(bytes)}</em>]] [<em>pass</em>] |
! 257: <em>shape</em> <em>{rate(bits/s)}</em> [<em>{burst(bytes)}</em>] [<em>pass</em>]</p>
! 258: <p>As example you can write in your RADIUS configuration something like:
! 259: <pre>
! 260: mpd-filter += "1#1=nomatch dst net 10.0.0.0/24",
! 261: mpd-filter += "1#2=match dst net 10.0.0.0/8",
! 262: mpd-filter += "2#1=nomatch src net 10.0.0.0/24",
! 263: mpd-filter += "2#2=match src net 11.0.0.0/8",
! 264: mpd-limit += "in#1=flt1 pass",
! 265: mpd-limit += "in#2#Biz=all shape 64000 4000",
! 266: mpd-limit += "out#1=flt2 pass",
! 267: mpd-limit += "out#2#Biz=all rate-limit 1024000 150000 300000",
! 268: </pre>
! 269: </p>
! 270: <p>As result, one ng_bpf node will be created to implement traffic filters
! 271: and several (two for this example) ng_car nodes for traffic shaping
! 272: and rate-limiting. Incoming traffic to 10.0.0.0/8 except 10.0.0.0/24
! 273: will be passed, other traffic will be shaped to 64Kbits/s. Outgoing
! 274: traffic from 10.0.0.0/8 except 10.0.0.0/24 will be passed, all other
! 275: will be limited to 1024Kbit/s. Also traffic that passed mpd-limit rules
! 276: marked "Biz" will be accordingly accounted and present with that name
! 277: in AAA accounting requests.</p>
! 278:
! 279:
! 280: </dl>
! 281: </p>
! 282: <HR NOSHADE>
! 283: <A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A>
! 284: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
! 285: <b>:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A>
! 286: <b>:</b> <EM>RADIUS</EM><BR>
! 287: <b>Previous:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A><BR>
! 288: <b>Next:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A>
! 289:
! 290:
! 291:
! 292: </BODY>
! 293: </HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mpd30.html CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc