Annotation of embedaddon/mpd/doc/mpd32.html, revision 1.1
1.1 ! misho 1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
! 2: <HTML>
! 3: <HEAD>
! 4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
! 5: <TITLE>Dynamic Authorization</TITLE>
! 6: </HEAD>
! 7: <BODY text="#000000" bgcolor="#ffffff">
! 8:
! 9: <A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A>
! 10: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
! 11: <b>:</b> <EM>Dynamic Authorization</EM><BR>
! 12: <b>Previous:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A><BR>
! 13: <b>Next:</b> <A HREF="mpd33.html"><EM>Traffic accounting</EM></A>
! 14:
! 15:
! 16: <HR NOSHADE>
! 17: <H2><A NAME="32"></A>4.11. Dynamic Authorization<A NAME="dynauth"></A></H2>
! 18:
! 19: <p>After session has been first time authorized by AAA subsystem,
! 20: Mpd provides you several ways to affect it's further operation.
! 21: Process of affecting established session called dynamic authorization.</p>
! 22: <p>There are two types of dynamic authorization activities exist:
! 23: Disconnect (terminate session, causing it's graceful shutdown)
! 24: and Change of Authorization, CoA (changing session operation
! 25: parameters, such as speed, ACLs and so on, on-flight)</p>
! 26: <p>
! 27: <dl>
! 28: <p>Mpd provides several different control interfaces, that can be used
! 29: to implement dynamic authorization.</p>
! 30:
! 31: <dt><b>Control consoles</b><dd><p>The basic method of controlling mpd is it's STDIN and TCP
! 32: <b>
! 33: <A HREF="mpd40.html#console">console</A></b>.</p>
! 34: <p>You can disconnect any session by connecting to console, selecting
! 35: required session with any command for changing current context, such
! 36: as: <em>link</em>, <em>bundle</em>, <em>session</em>, <em>msession</em>
! 37: and so on, and using <em>close</em> command.</p>
! 38:
! 39: <dt><b>Web server</b><dd><p>Mpd provides two <b>
! 40: <A HREF="mpd41.html#web">web</A></b> interfaces:
! 41: human (text/html) and binary (text/plain).</p>
! 42: <p>Human web interface allows you disconnect specified session just by
! 43: clicking on respective <em>[Close]</em> link on the
! 44: "Current status summary" web page on mpd built-in web server.</p>
! 45: <p>Binary web interface provides API for executing any of control console
! 46: commands via HTTP request. For example, to disconnect session on
! 47: link named L125 you may use such HTTP request:
! 48: <em>/bincmd?link%20L125&close</em></p>
! 49:
! 50: <dt><b>RADIUS accounting</b><dd><p>Mpd provides simple, but non-standard method of disconnecting session
! 51: using <b>
! 52: <A HREF="mpd30.html#radius">radius</A></b> accounting reply.
! 53: To disconnect arbitrary session you may just include <em>mpd-drop-user</em>
! 54: attribute with nonzero value into any accounting reply packet.</p>
! 55: <p>This method considered not to be completely reliable, as AAA receives
! 56: no acknowledge that accounting reply packet was received by mpd. The
! 57: only thing guarantied, is that on packet loss mpd will retry accounting
! 58: sending for specified number of times before giveup.</p>
! 59:
! 60: <dt><b>Built-in RADIUS server</b><dd><p>RFC 3576: "Dynamic Authorization Extensions to RADIUS" defines standard
! 61: way to implement dynamic authorization. It defines two additional RADIUS
! 62: request types: Disconnect-Request and CoA-Request, to be sent from AAA
! 63: server to dedicated UDP port on NAS with regular RADIUS protocol.</p>
! 64: <p>To have this function working, mpd should be built with <em>libradius</em>
! 65: library, having RADIUS server functionality (FreeBSD 7/8-STABLE after
! 66: 2009-10-30).</p>
! 67: <p>This chapter describes commands that configure mpd's built-in RADIUS
! 68: server. All of these commands are executed in global context.</p>
! 69: <p>
! 70: <dl>
! 71:
! 72: <dt><b><code>set radsrv open</code></b><dd><p>Opens the RADIUS server, i.e., creates the listening UDP socket.</p>
! 73:
! 74: <dt><b><code>set radsrv close</code></b><dd><p>Closes the RADIUS server, i.e., closes the listening UDP socket.</p>
! 75:
! 76: <dt><b><code>set radsrv self <em>ip</em> [ <em>port</em> ]</code></b><dd><p>Sets the credentials for the RADIUS-listener. After changing one of these
! 77: options, the RADIUS server must be closed and re-opened for the changes to
! 78: take effect.</p>
! 79: <p>The default is '0.0.0.0 3799'.</p>
! 80:
! 81: <dt><b><code>set radsrv peer <em>ip</em> <em>secret</em></code></b><dd><p>Defines additional AAA server, allowed to contact this NAS. After changing
! 82: one of these options, the RADIUS server must be closed and re-opened for
! 83: the changes to take effect.</p>
! 84:
! 85: <dt><b><code>set radsrv enable <em>option ...</em><br>
! 86: set radsrv disable <em>option ...</em></code></b><dd><p>These commands configure various RADIUS server options.</p>
! 87:
! 88: <p>The <code><b>enable</b></code> and <code><b>disable</b></code> commands determine
! 89: whether we want the corresponding option.</p>
! 90: <p>The options available for the RADIUS server are:</p>
! 91:
! 92: <dt><b><code>coa</code></b><dd><p>This option enables CoA-Request support on RADIUS server.</p>
! 93: <p>The default is enable.</p>
! 94:
! 95: <dt><b><code>disconnect</code></b><dd><p>This option enables Disconnect-Request support on RADIUS server.</p>
! 96: <p>The default is enable.</p>
! 97:
! 98: </dl>
! 99:
! 100: Dynamic authorization RADIUS server receives three groups of attributes:
! 101: NAS identification (to be sure that request got to the right server),
! 102: session identification (to identify session that should be affected)
! 103: and session parameters (to describe new session state to set).
! 104: NAS and session identification attributes are native part of any
! 105: Disconnect or CoA request, while session parameters could be used only
! 106: with CoA. At least one session identification attribute must be present
! 107: in request. If there are several identification attributes present,
! 108: session should match all of them to be affected.</p>
! 109: <p>NAS identification attributes supported by mpd:
! 110: <pre>
! 111: N Name
! 112: 4 NAS-IP-Address
! 113: </pre>
! 114: </p>
! 115: <p>Session identification attributes supported by mpd:
! 116: <pre>
! 117: N Name
! 118: 1 User-Name
! 119: 5 NAS-Port
! 120: 8 Framed-IP-Address
! 121: 30 Called-Station-Id
! 122: 31 Calling-Station-Id
! 123: 44 Acct-Session-Id
! 124: 50 Acct-Multi-Session-Id
! 125:
! 126: mpd VSA (12341)
! 127: 12 mpd-link
! 128: 13 mpd-bundle
! 129: 14 mpd-iface
! 130: 15 mpd-iface-index
! 131: </pre>
! 132: </p>
! 133: <p>Session parameners attributes supported by mpd:
! 134: <pre>
! 135: N Name
! 136: 27 Session-Timeout
! 137: 28 Idle-Timeout
! 138: 85 Acct-Interim-Interval
! 139:
! 140: mpd VSA (12341)
! 141: 1 mpd-rule
! 142: 2 mpd-pipe
! 143: 3 mpd-queue
! 144: 4 mpd-table
! 145: 5 mpd-table-static
! 146: 7 mpd-filter
! 147: 8 mpd-limit
! 148: 16 mpd-input-acct
! 149: 17 mpd-output-acct
! 150: </pre>
! 151: </p>
! 152: <p>Received in CoA session parameters replace existing ones. If some parameter
! 153: is not received, it keeps it's previous value for standard attributes,
! 154: and getting cleared for mpd's VSAs.</p>
! 155: <p>Nots, that CoA request always restarts Session and Idle timers for matching
! 156: interfaces, and restarts Accounting Update timer for matching links, if new
! 157: value received.</p>
! 158:
! 159: </dl>
! 160: </p>
! 161:
! 162: <HR NOSHADE>
! 163: <A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A>
! 164: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
! 165: <b>:</b> <EM>Dynamic Authorization</EM><BR>
! 166: <b>Previous:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A><BR>
! 167: <b>Next:</b> <A HREF="mpd33.html"><EM>Traffic accounting</EM></A>
! 168:
! 169:
! 170:
! 171: </BODY>
! 172: </HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mpd32.html CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc