embedaddon/mpd/doc/mpd30.html - view

File: [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc / mpd30.html
Revision 1.1.1.2 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Mon Jul 22 08:44:30 2013 UTC (10 years, 11 months ago) by misho
Branches: mpd, MAIN
CVS tags: v5_7p0, v5_7, HEAD

5.7

1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> 2: <HTML> 3: <HEAD> 4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> 5: <TITLE>RADIUS</TITLE> 6: </HEAD> 7: <BODY text="#000000" bgcolor="#ffffff"> 8: 9: <A HREF="mpd.html">Mpd 5.7 User Manual</A> 10: : <A HREF="mpd17.html">Configuring Mpd</A> 11: : <A HREF="mpd29.html">Authentication, Authorization and Accounting (AAA)</A> 12: : RADIUS  13: Previous: <A HREF="mpd29.html">Authentication, Authorization and Accounting (AAA)</A>  14: Next: <A HREF="mpd31.html">External authentication</A> 15: 16: 17: <HR NOSHADE> 18: <H2><A NAME="30"></A>4.10.1. RADIUS<A NAME="radius"></A></H2> 19: 20: This chapter describes RADIUS authentication backend. 21: Mpd supports both user authentication and session accounting using RADIUS. 22: RADIUS-Accounting and RADIUS-Authentication are independant so it is possible 23: to use them in any combination. 24: All authentication methods are supported with RADIUS (PAP, CHAP, MS-CHAPv1, 25: MS-CHAPv2, EAP). Password changing is currently not supported. 26: All of these commands apply to the currently active link. 27:  28: <dl> 29: 30: <dt><code>set radius server name secret [ auth-port [ acct-port ]]</code><dd>Configure RADIUS server parameters. Multiple RADIUS servers may be configured 31: by repeating this command, and up to 10 servers may be specified. 32: If one of auth/acct ports specified as 0, it will not be used for requests 33: of that type. 34: 35: <dt><code>unset radius server name [ auth-port [ acct-port ]]</code><dd>Deletes cpecific RADIUS server from pool. 36: 37: <dt><code>set radius timeout seconds</code><dd>Set the timeout for completion of RADIUS requests. 38: The default is 5 second. 39: 40: <dt><code>set radius retries #retries</code><dd>Set the number of retries for RADIUS requests. 41: The default is 3 retries. 42: 43: <dt><code>set radius me IP|ifname|hostname</code><dd>Send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server. 44: 45: <dt><code>set radius v6me IPv6</code><dd>Send the given IP in the RAD_NAS_IPV6_ADDRESS attribute to the server. 46: 47: <dt><code>set radius identifier name</code><dd>Send the given name in the RAD_NAS_IDENTIFIER attribute to the server. 48: If not set the local hostname is used. 49: 50: <dt><code>set radius enable message-authentic</code><dd>Adds the Message-Authenticator attribute to the RADIUS request. 51: The Message-Authenticator is an HMAC-MD5 checksum of the entire 52: Access-Request packet using the shared secret as the key. This 53: should protect the RADIUS server against online dictionary attacks. 54: This is mandatory when using the EAP-RADIUS-Proxy and it's implicitly 55: added to the request by Mpd. 56: 57: <dt>RADIUS internals<dd> 58: RADIUS attributes supported by mpd: 59: <pre> 60: N Name Access Accounting 61: Req Resp Req Resp 62: 1 User-Name + + + - 63: 2 User-Password + - - - 64: 3 CHAP-Password + - - - 65: 4 NAS-IP-Address + - + - 66: 5 NAS-Port + - + - 67: 6 Service-Type + - + - 68: 7 Framed-Protocol + - + - 69: 8 Framed-IP-Address - + + - 70: 9 Framed-IP-Netmask - + + - 71: 12 Framed-MTU - + - - 72: 13 Framed-Compression - + - - 73: 18 Reply-Message - + - - 74: 22 Framed-Route - + - - 75: 24 State + + + - 76: 25 Class - + + - 77: 27 Session-Timeout - + - - 78: 28 Idle-Timeout - + - - 79: 30 Called-Station-Id + - + - 80: 31 Calling-Station-Id + - + - 81: 32 NAS-Identifier + - + - 82: 40 Acct-Status-Type - - + - 83: 42 Acct-Input-Octets - - + - 84: 43 Acct-Output-Octets - - + - 85: 44 Acct-Session-Id + - + - 86: 45 Acct-Authentic - - + - 87: 46 Acct-Session-Time - - + - 88: 47 Acct-Input-Packets - - + - 89: 48 Acct-Output-Packets - - + - 90: 49 Acct-Terminate-Cause - - + - 91: 50 Acct-Multi-Session-Id - - + - 92: 51 Acct-Link-Count - - + - 93: 52 Acct-Input-Gigawords - - + - 94: 53 Acct-Output-Gigawords - - + - 95: 60 CHAP-Challenge + - - - 96: 61 NAS-Port-Type + - + - 97: 64 Tunnel-Type + - + - 98: 65 Tunnel-Medium-Type + - + - 99: 66 Tunnel-Client-Endpoint + - + - 100: 67 Tunnel-Server-Endpoint + - + - 101: 85 Acct-Interim-Interval - + - - 102: 87 NAS-Port-Id + - + - 103: 88 Framed-Pool - + - - 104: 90 Tunnel-Client-Auth-ID + - + - 105: 91 Tunnel-Server-Auth-ID + - + - 106: 95 NAS-IPv6-Address + - + - 107: 99 Framed-IPv6-Route - + - - 108: 109: Microsoft VSA (311) 110: 1 MS-CHAP-Response + - - - 111: 2 MS-CHAP-Error - + - - 112: 7 MS-MPPE-Encryption-Policy - + - - 113: 8 MS-MPPE-Encryption-Types - + - - 114: 10 MS-CHAP-Domain - + - - 115: 11 MS-CHAP-Challenge + - - - 116: 12 MS-CHAP-MPPE-Keys - + - - 117: 16 MS-MPPE-Send-Key - + - - 118: 17 MS-MPPE-Recv-Key - + - - 119: 25 MS-CHAP2-Response + - - - 120: 26 MS-CHAP2-Success - + - - 121: 28 MS-Primary-DNS-Server - + - - 122: 29 MS-Secondary-DNS-Server - + - - 123: 30 MS-Primary-NBNS-Server - + - - 124: 31 MS-Secondary-NBNS-Server - + - - 125: 126: DSL Forum VSA (3561) 127: 1 ADSL-Agent-Circuit-Id + - + - 128: 2 ADSL-Agent-Remote-Id + - + - 129: 130: mpd VSA (12341) 131: 1 mpd-rule - + - - 132: 2 mpd-pipe - + - - 133: 3 mpd-queue - + - - 134: 4 mpd-table - + - - 135: 5 mpd-table-static - + - - 136: 6 mpd-filter - + - - 137: 7 mpd-limit - + - - 138: 8 mpd-input-octets - - + - 139: 9 mpd-input-packets - - + - 140: 10 mpd-output-octets - - + - 141: 11 mpd-output-packets - - + - 142: 12 mpd-link + - + - 143: 13 mpd-bundle - - + - 144: 14 mpd-iface - - + - 145: 15 mpd-iface-index - - + - 146: 16 mpd-input-acct - + - - 147: 17 mpd-output-acct - + - - 148: 18 mpd-action - + - - 149: 19 mpd-peer-ident + - + - 150: 20 mpd-iface-name - + - - 151: 21 mpd-iface-descr - + - - 152: 22 mpd-iface-group - + - - 153: 154 mpd-drop-user - - - + 154: </pre> 155:  156: To use mpd VSA you should add such dictionary to your RADIUS server: 157: <pre> 158: #---------------------------------------------------------- 159: # dictionary.mpd 160: 161: VENDOR mpd 12341 162: 163: BEGIN-VENDOR mpd 164: 165: ATTRIBUTE mpd-rule 1 string 166: ATTRIBUTE mpd-pipe 2 string 167: ATTRIBUTE mpd-queue 3 string 168: ATTRIBUTE mpd-table 4 string 169: ATTRIBUTE mpd-table-static 5 string 170: ATTRIBUTE mpd-filter 6 string 171: ATTRIBUTE mpd-limit 7 string 172: ATTRIBUTE mpd-input-octets 8 string 173: ATTRIBUTE mpd-input-packets 9 string 174: ATTRIBUTE mpd-output-octets 10 string 175: ATTRIBUTE mpd-output-packets 11 string 176: ATTRIBUTE mpd-link 12 string 177: ATTRIBUTE mpd-bundle 13 string 178: ATTRIBUTE mpd-iface 14 string 179: ATTRIBUTE mpd-iface-index 15 integer 180: ATTRIBUTE mpd-input-acct 16 string 181: ATTRIBUTE mpd-output-acct 17 string 182: ATTRIBUTE mpd-action 18 string 183: ATTRIBUTE mpd-peer-ident 19 string 184: ATTRIBUTE mpd-iface-name 20 string 185: ATTRIBUTE mpd-iface-descr 21 string 186: ATTRIBUTE mpd-iface-group 22 string 187: ATTRIBUTE mpd-drop-user 154 integer 188: 189: END-VENDOR mpd 190: #---------------------------------------------------------- 191: </pre> 192:  193: Mpd allows RADIUS server to terminate user session by setting vendor specific 194: mpd-drop-user attribute to nonzero value in accounting start/update reply packet. 195: 196: <dt>RADIUS ACL's<dd> 197: Mpd can use the Access Control Lists (ACLs) given by the RADIUS server. 198: This ACLs may include ipfw rules, pipes, queues and tables and also mpd 199: internal traffic filtering/shaping/limiting features. That two sets are 200: redundant. ipfw proposed as standard and universal solution, while internal 201: filter/shaper/limiter based on ng_bpf+ng_car expected to work faster with 202: big number of active links. 203: 204: <dt>ipfw<dd> 205: You can write in your RADIUS configuration something like: 206: <pre> 207: mpd-table += "1=10.0.0.1", 208: mpd-table += "1=10.0.0.15", 209: mpd-pipe += "1=bw 10Kbyte/s", 210: mpd-pipe += "5=bw 20Kbyte/s", 211: mpd-rule += "1=pipe %p1 all from any to table\\(%t1\\) in", 212: mpd-rule += "2=pipe %p5 all from table\\(%t1\\) to any out", 213: mpd-rule += "100=allow all from any to any", 214: </pre> 215:  216: When mpd receives these parameters it will call ipfw(8) to create 217: firewall rules, pipes and queues with unique numbers starting from 10000 218: (configurable via 'set global start...'). %rX, %pX, %qX, %tX 219: macroses will be expanded within mpd-rule and mpd-queue. 220: To the end of each rule will be added "via ngX" to make the rule apply 221: only to that client's networking interface. 222: As a result of this example we would get these commands executed: 223: <pre> 224: ipfw table 32 add 10.0.0.1 225: ipfw table 32 add 10.0.0.15 226: ipfw pipe 10000 config bw 10Kbyte/s 227: ipfw pipe 10001 config bw 20Kbyte/s 228: ipfw add 10000 pipe 10000 all from any to table\(32\) in via ng0 229: ipfw add 10001 pipe 10001 all from table\(32\) to any out via ng0 230: ipfw add 10002 allow all from any to any via ng0 231: </pre> 232: 233: When the link goes down, all created rules will be removed. 234: Note: As soon as mpd executes ipfw commands using shell, shell's 235: special characters like "(" and ")" must be slashed. 236: 237: <dt>internal (ng_bpf/ng_car)<dd> 238: Mpd can create complex per-interface traffic filtering/limiting engines inside 239: netgraph when it is requested by mpd-filter and mpd-limit RADIUS attributes. 240: mpd-filter attribute is a packet filter declaration for using in mpd-limit. 241: mpd-filter consists of two main parts: match/nomatch verdict and the condition. 242: tcpdump (libpcap) expression syntax used for conditions. 243: mpd-filter: match|nomatch {condition} 244: mpd-limit attribute is an action which should be done for packet. It consists 245: of two main parts: filter and action.  246: mpd-limit: {filter} {action} 247: Filter can be or "all" (any packet) or "fltX" 248: (packets matching to specified mpd-filter). 249: filter: any|fltX 250: Action can be: "" (do nothing, just account), 251: "pass" (stop processing and pass packet), 252: "deny" (stop processing and drop packet), 253: "rate-limit" (do Cisco-like rate-limit), 254: "shape" (do simple RED aware traffic shaping).  255: Actions "rate-limit" and "shape" can have optional "pass" suffix 256: to stop processing after doing this action. 257: action:  | pass | deny | 258: rate-limit {rate(bits/s)} [{normal burst(bytes)} [{extended burst(bytes)}]] [pass] | 259: shape {rate(bits/s)} [{burst(bytes)}] [pass] 260: As example you can write in your RADIUS configuration something like: 261: <pre> 262: mpd-filter += "1#1=nomatch dst net 10.0.0.0/24", 263: mpd-filter += "1#2=match dst net 10.0.0.0/8", 264: mpd-filter += "2#1=nomatch src net 10.0.0.0/24", 265: mpd-filter += "2#2=match src net 11.0.0.0/8", 266: mpd-limit += "in#1=flt1 pass", 267: mpd-limit += "in#2#Biz=all shape 64000 4000", 268: mpd-limit += "out#1=flt2 pass", 269: mpd-limit += "out#2#Biz=all rate-limit 1024000 150000 300000", 270: </pre> 271:  272: As result, one ng_bpf node will be created to implement traffic filters 273: and several (two for this example) ng_car nodes for traffic shaping 274: and rate-limiting. Incoming traffic to 10.0.0.0/8 except 10.0.0.0/24 275: will be passed, other traffic will be shaped to 64Kbits/s. Outgoing 276: traffic from 10.0.0.0/8 except 10.0.0.0/24 will be passed, all other 277: will be limited to 1024Kbit/s. Also traffic that passed mpd-limit rules 278: marked "Biz" will be accordingly accounted and present with that name 279: in AAA accounting requests. 280: 281: 282: </dl> 283:  284: <HR NOSHADE> 285: <A HREF="mpd.html">Mpd 5.7 User Manual</A> 286: : <A HREF="mpd17.html">Configuring Mpd</A> 287: : <A HREF="mpd29.html">Authentication, Authorization and Accounting (AAA)</A> 288: : RADIUS  289: Previous: <A HREF="mpd29.html">Authentication, Authorization and Accounting (AAA)</A>  290: Next: <A HREF="mpd31.html">External authentication</A> 291: 292: 293: 294: </BODY> 295: </HTML>