<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>RADIUS</TITLE>
</HEAD>
<BODY text="#000000" bgcolor="#ffffff">
<A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
<b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
<b>:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A>
<b>:</b> <EM>RADIUS</EM><BR>
<b>Previous:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A><BR>
<b>Next:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A>
<HR NOSHADE>
<H2><A NAME="30"></A>4.10.1. RADIUS<A NAME="radius"></A></H2>
<p>This chapter describes RADIUS authentication backend.
Mpd supports both user authentication and session accounting using RADIUS.
RADIUS-Accounting and RADIUS-Authentication are independant so it is possible
to use them in any combination.</p>
<p>All authentication methods are supported with RADIUS (PAP, CHAP, MS-CHAPv1,
MS-CHAPv2, EAP). Password changing is currently not supported.</p>
<p>All of these commands apply to the currently active link.</p>
<p>
<dl>
<dt><b><code>set radius server <em>name</em> <em>secret</em> [ <em>auth-port</em> [ <em>acct-port</em> ]]</code></b><dd><p>Configure RADIUS server parameters. Multiple RADIUS servers may be configured
by repeating this command, and up to 10 servers may be specified.
If one of auth/acct ports specified as 0, it will not be used for requests
of that type.</p>
<dt><b><code>unset radius server <em>name</em> [ <em>auth-port</em> [ <em>acct-port</em> ]]</code></b><dd><p>Deletes cpecific RADIUS server from pool.</p>
<dt><b><code>set radius src-addr <em>ipaddr</em></code></b><dd><p>Configure IP address on the multihomed host that is used as a source address
for all requests.</p>
<dt><b><code>set radius timeout <em>seconds</em></code></b><dd><p>Set the timeout for completion of RADIUS requests.</p>
<p>The default is 5 second.</p>
<dt><b><code>set radius retries <em>#retries</em></code></b><dd><p>Set the number of retries for RADIUS requests.</p>
<p>The default is 3 retries.</p>
<dt><b><code>set radius me <em>IP</em>|<em>ifname</em>|<em>hostname</em></code></b><dd><p>Send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.</p>
<dt><b><code>set radius v6me <em>IPv6</em></code></b><dd><p>Send the given IP in the RAD_NAS_IPV6_ADDRESS attribute to the server.</p>
<dt><b><code>set radius identifier <em>name</em></code></b><dd><p>Send the given name in the RAD_NAS_IDENTIFIER attribute to the server.
If not set the local hostname is used.</p>
<dt><b><code>set radius enable message-authentic</code></b><dd><p>Adds the Message-Authenticator attribute to the RADIUS request.
The Message-Authenticator is an HMAC-MD5 checksum of the entire
Access-Request packet using the shared secret as the key. This
should protect the RADIUS server against online dictionary attacks.
This is mandatory when using the EAP-RADIUS-Proxy and it's implicitly
added to the request by Mpd.</p>
<dt><b>RADIUS internals</b><dd>
<p>RADIUS attributes supported by mpd:
<pre>
N Name Access Accounting
Req Resp Req Resp
1 User-Name + + + -
2 User-Password + - - -
3 CHAP-Password + - - -
4 NAS-IP-Address + - + -
5 NAS-Port + - + -
6 Service-Type + - + -
7 Framed-Protocol + - + -
8 Framed-IP-Address - + + -
9 Framed-IP-Netmask - + + -
11 Filter-Id - + - -
12 Framed-MTU - + - -
13 Framed-Compression - + - -
18 Reply-Message - + - -
22 Framed-Route - + - -
24 State + + + -
25 Class - + + -
27 Session-Timeout - + - -
28 Idle-Timeout - + - -
30 Called-Station-Id + - + -
31 Calling-Station-Id + - + -
32 NAS-Identifier + - + -
40 Acct-Status-Type - - + -
42 Acct-Input-Octets - - + -
43 Acct-Output-Octets - - + -
44 Acct-Session-Id + - + -
45 Acct-Authentic - - + -
46 Acct-Session-Time - - + -
47 Acct-Input-Packets - - + -
48 Acct-Output-Packets - - + -
49 Acct-Terminate-Cause - - + -
50 Acct-Multi-Session-Id - - + -
51 Acct-Link-Count - - + -
52 Acct-Input-Gigawords - - + -
53 Acct-Output-Gigawords - - + -
60 CHAP-Challenge + - - -
61 NAS-Port-Type + - + -
64 Tunnel-Type + - + -
65 Tunnel-Medium-Type + - + -
66 Tunnel-Client-Endpoint + - + -
67 Tunnel-Server-Endpoint + - + -
85 Acct-Interim-Interval - + - -
87 NAS-Port-Id + - + -
88 Framed-Pool - + - -
90 Tunnel-Client-Auth-ID + - + -
91 Tunnel-Server-Auth-ID + - + -
95 NAS-IPv6-Address + - + -
99 Framed-IPv6-Route - + - -
Microsoft VSA (311)
1 MS-CHAP-Response + - - -
2 MS-CHAP-Error - + - -
7 MS-MPPE-Encryption-Policy - + - -
8 MS-MPPE-Encryption-Types - + - -
10 MS-CHAP-Domain - + - -
11 MS-CHAP-Challenge + - - -
12 MS-CHAP-MPPE-Keys - + - -
16 MS-MPPE-Send-Key - + - -
17 MS-MPPE-Recv-Key - + - -
25 MS-CHAP2-Response + - - -
26 MS-CHAP2-Success - + - -
28 MS-Primary-DNS-Server - + - -
29 MS-Secondary-DNS-Server - + - -
30 MS-Primary-NBNS-Server - + - -
31 MS-Secondary-NBNS-Server - + - -
DSL Forum VSA (3561)
1 ADSL-Agent-Circuit-Id + - + -
2 ADSL-Agent-Remote-Id + - + -
mpd VSA (12341)
1 mpd-rule - + - -
2 mpd-pipe - + - -
3 mpd-queue - + - -
4 mpd-table - + - -
5 mpd-table-static - + - -
6 mpd-filter - + - -
7 mpd-limit - + - -
8 mpd-input-octets - - + -
9 mpd-input-packets - - + -
10 mpd-output-octets - - + -
11 mpd-output-packets - - + -
12 mpd-link + - + -
13 mpd-bundle - - + -
14 mpd-iface - - + -
15 mpd-iface-index - - + -
16 mpd-input-acct - + - -
17 mpd-output-acct - + - -
18 mpd-action - + - -
19 mpd-peer-ident + - + -
20 mpd-iface-name - + - -
21 mpd-iface-descr - + - -
22 mpd-iface-group - + - -
154 mpd-drop-user - - - +
</pre>
</p>
<p>To use mpd VSA you should add such dictionary to your RADIUS server:
<pre>
#----------------------------------------------------------
# dictionary.mpd
VENDOR mpd 12341
BEGIN-VENDOR mpd
ATTRIBUTE mpd-rule 1 string
ATTRIBUTE mpd-pipe 2 string
ATTRIBUTE mpd-queue 3 string
ATTRIBUTE mpd-table 4 string
ATTRIBUTE mpd-table-static 5 string
ATTRIBUTE mpd-filter 6 string
ATTRIBUTE mpd-limit 7 string
ATTRIBUTE mpd-input-octets 8 string
ATTRIBUTE mpd-input-packets 9 string
ATTRIBUTE mpd-output-octets 10 string
ATTRIBUTE mpd-output-packets 11 string
ATTRIBUTE mpd-link 12 string
ATTRIBUTE mpd-bundle 13 string
ATTRIBUTE mpd-iface 14 string
ATTRIBUTE mpd-iface-index 15 integer
ATTRIBUTE mpd-input-acct 16 string
ATTRIBUTE mpd-output-acct 17 string
ATTRIBUTE mpd-action 18 string
ATTRIBUTE mpd-peer-ident 19 string
ATTRIBUTE mpd-iface-name 20 string
ATTRIBUTE mpd-iface-descr 21 string
ATTRIBUTE mpd-iface-group 22 string
ATTRIBUTE mpd-drop-user 154 integer
END-VENDOR mpd
#----------------------------------------------------------
</pre>
</p>
<p>Mpd allows RADIUS server to terminate user session by setting vendor specific
mpd-drop-user attribute to nonzero value in accounting start/update reply packet.</p>
<dt><b>RADIUS ACL's</b><dd>
<p>Mpd can use the Access Control Lists (ACLs) given by the RADIUS server.
This ACLs may include ipfw rules, pipes, queues and tables and also mpd
internal traffic filtering/shaping/limiting features. That two sets are
redundant. ipfw proposed as standard and universal solution, while internal
filter/shaper/limiter based on ng_bpf+ng_car expected to work faster with
big number of active links.</p>
<dt><b>ipfw</b><dd>
<p>You can write in your RADIUS configuration something like:
<pre>
mpd-table += "1=10.0.0.1",
mpd-table += "1=10.0.0.15",
mpd-pipe += "1=bw 10Kbyte/s",
mpd-pipe += "5=bw 20Kbyte/s",
mpd-rule += "1=pipe %p1 all from any to table\\(%t1\\) in",
mpd-rule += "2=pipe %p5 all from table\\(%t1\\) to any out",
mpd-rule += "100=allow all from any to any",
</pre>
</p>
<p>When mpd receives these parameters it will call ipfw(8) to create
firewall rules, pipes and queues with unique numbers starting from 10000
(configurable via 'set global start...'). %rX, %pX, %qX, %tX and %aX
macroses will be expanded within mpd-rule and mpd-queue.
To the end of each rule will be added "via ngX" to make the rule apply
only to that client's networking interface.</p>
<p>Allowed macroses:
<pre>
%rX IPFW rule pool
%pX IPFW pipe pool
%qX IPFW queue pool
%tX IPFW table pool
%a1 peer negotiated IP address
%a2 self negotiated IP address
</pre>
</p>
<p>As a result of this example we would get these commands executed:
<pre>
ipfw table 32 add 10.0.0.1
ipfw table 32 add 10.0.0.15
ipfw pipe 10000 config bw 10Kbyte/s
ipfw pipe 10001 config bw 20Kbyte/s
ipfw add 10000 pipe 10000 all from any to table\(32\) in via ng0
ipfw add 10001 pipe 10001 all from table\(32\) to any out via ng0
ipfw add 10002 allow all from any to any via ng0
</pre>
When the link goes down, all created rules will be removed.</p>
<p>Note: As soon as mpd executes ipfw commands using shell, shell's
special characters like "(" and ")" must be slashed.</p>
<p>You can specify <em>mpd-table += "1=peer_addr"</em> to use mpd-table
with the peer negotiated IP address.</p>
<dt><b>internal (ng_bpf/ng_car)</b><dd>
<p>Mpd can create complex per-interface traffic filtering/limiting engines inside
netgraph when it is requested by mpd-filter and mpd-limit RADIUS attributes.</p>
<p>mpd-filter attribute is a packet filter declaration for using in mpd-limit.
mpd-filter consists of two main parts: match/nomatch verdict and the condition.
tcpdump (libpcap) expression syntax used for conditions.</p>
<p>mpd-filter: <em>match</em>|<em>nomatch</em> <em>{condition}</em></p>
<p>mpd-limit attribute is an action which should be done for packet. It consists
of two main parts: filter and action. </p>
<p>mpd-limit: <em>{filter}</em> <em>{action}</em></p>
<p>Filter can be or "all" (any packet) or "fltX"
(packets matching to specified mpd-filter).</p>
<p>filter: <em>any</em>|<em>fltX</em></p>
<p>Action can be: "" (do nothing, just account),
"pass" (stop processing and pass packet),
"deny" (stop processing and drop packet),
"rate-limit" (do Cisco-like rate-limit),
"shape" (do simple RED aware traffic shaping). </p>
<p>Actions "rate-limit" and "shape" can have optional "pass" suffix
to stop processing after doing this action.</p>
<p>action: <em></em> | <em>pass</em> | <em>deny</em> |
<em>rate-limit</em> <em>{rate(bits/s)}</em> [<em>{normal burst(bytes)}</em> [<em>{extended burst(bytes)}</em>]] [<em>pass</em>] |
<em>shape</em> <em>{rate(bits/s)}</em> [<em>{burst(bytes)}</em>] [<em>pass</em>]</p>
<p>As example you can write in your RADIUS configuration something like:
<pre>
mpd-filter += "1#1=nomatch dst net 10.0.0.0/24",
mpd-filter += "1#2=match dst net 10.0.0.0/8",
mpd-filter += "2#1=nomatch src net 10.0.0.0/24",
mpd-filter += "2#2=match src net 11.0.0.0/8",
mpd-limit += "in#1=flt1 pass",
mpd-limit += "in#2#Biz=all shape 64000 4000",
mpd-limit += "out#1=flt2 pass",
mpd-limit += "out#2#Biz=all rate-limit 1024000 150000 300000",
</pre>
</p>
<p>As result, one ng_bpf node will be created to implement traffic filters
and several (two for this example) ng_car nodes for traffic shaping
and rate-limiting. Incoming traffic to 10.0.0.0/8 except 10.0.0.0/24
will be passed, other traffic will be shaped to 64Kbits/s. Outgoing
traffic from 10.0.0.0/8 except 10.0.0.0/24 will be passed, all other
will be limited to 1024Kbit/s. Also traffic that passed mpd-limit rules
marked "Biz" will be accordingly accounted and present with that name
in AAA accounting requests.</p>
</dl>
</p>
<HR NOSHADE>
<A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
<b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
<b>:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A>
<b>:</b> <EM>RADIUS</EM><BR>
<b>Previous:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A><BR>
<b>Next:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A>
</BODY>
</HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>