Annotation of embedaddon/mpd/doc/mpd32.html, revision 1.1.1.4

1.1       misho       1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
                      2: <HTML>
                      3: <HEAD>
                      4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
                      5: <TITLE>Dynamic Authorization</TITLE>
                      6: </HEAD>
                      7: <BODY text="#000000" bgcolor="#ffffff">
                      8: 
1.1.1.4 ! misho       9: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
1.1       misho      10:  <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
                     11:  <b>:</b> <EM>Dynamic Authorization</EM><BR>
                     12: <b>Previous:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A><BR>
                     13: <b>Next:</b> <A HREF="mpd33.html"><EM>Traffic accounting</EM></A>
                     14: 
                     15: 
                     16: <HR NOSHADE>
                     17:   <H2><A NAME="32"></A>4.11. Dynamic Authorization<A NAME="dynauth"></A></H2>
                     18: 
                     19: <p>After session has been first time authorized by AAA subsystem,
                     20: Mpd provides you several ways to affect it's further operation.
                     21: Process of affecting established session called dynamic authorization.</p>
                     22: <p>There are two types of dynamic authorization activities exist:
                     23: Disconnect (terminate session, causing it's graceful shutdown)
                     24: and Change of Authorization, CoA (changing session operation
                     25: parameters, such as speed, ACLs and so on, on-flight)</p>
                     26: <p>
                     27: <dl>
                     28: <p>Mpd provides several different control interfaces, that can be used
                     29: to implement dynamic authorization.</p>
                     30: 
                     31: <dt><b>Control consoles</b><dd><p>The basic method of controlling mpd is it's STDIN and TCP
                     32: <b>
1.1.1.4 ! misho      33: <A HREF="mpd40.html#console">consoles</A></b>.</p>
1.1       misho      34: <p>You can disconnect any session by connecting to console, selecting
                     35: required session with any command for changing current context, such
                     36: as: <em>link</em>, <em>bundle</em>, <em>session</em>, <em>msession</em>
                     37: and so on, and using <em>close</em> command.</p>
                     38: 
                     39: <dt><b>Web server</b><dd><p>Mpd provides two <b>
1.1.1.4 ! misho      40: <A HREF="mpd41.html#web">Web</A></b> interfaces:
1.1       misho      41: human (text/html) and binary (text/plain).</p>
                     42: <p>Human web interface allows you disconnect specified session just by
                     43: clicking on respective <em>[Close]</em> link on the
                     44: "Current status summary" web page on mpd built-in web server.</p>
                     45: <p>Binary web interface provides API for executing any of control console
                     46: commands via HTTP request. For example, to disconnect session on
                     47: link named L125 you may use such HTTP request:
                     48: <em>/bincmd?link%20L125&amp;close</em></p>
                     49: 
                     50: <dt><b>RADIUS accounting</b><dd><p>Mpd provides simple, but non-standard method of disconnecting session
                     51: using <b>
1.1.1.4 ! misho      52: <A HREF="mpd30.html#radius">RADIUS</A></b> accounting reply.
1.1       misho      53: To disconnect arbitrary session you may just include <em>mpd-drop-user</em>
                     54: attribute with nonzero value into any accounting reply packet.</p>
                     55: <p>This method considered not to be completely reliable, as AAA receives
                     56: no acknowledge that accounting reply packet was received by mpd. The
                     57: only thing guarantied, is that on packet loss mpd will retry accounting
                     58: sending for specified number of times before giveup.</p>
                     59: 
                     60: <dt><b>Built-in RADIUS server</b><dd><p>RFC 3576: "Dynamic Authorization Extensions to RADIUS" defines standard
                     61: way to implement dynamic authorization. It defines two additional RADIUS
                     62: request types: Disconnect-Request and CoA-Request, to be sent from AAA
                     63: server to dedicated UDP port on NAS with regular RADIUS protocol.</p>
                     64: <p>To have this function working, mpd should be built with <em>libradius</em>
                     65: library, having RADIUS server functionality (FreeBSD 7/8-STABLE after
                     66: 2009-10-30).</p>
                     67: <p>This chapter describes commands that configure mpd's built-in RADIUS
                     68: server. All of these commands are executed in global context.</p>
                     69: <p>
                     70: <dl>
                     71: 
                     72: <dt><b><code>set radsrv open</code></b><dd><p>Opens the RADIUS server, i.e., creates the listening UDP socket.</p>
                     73: 
                     74: <dt><b><code>set radsrv close</code></b><dd><p>Closes the RADIUS server, i.e., closes the listening UDP socket.</p>
                     75: 
                     76: <dt><b><code>set radsrv self <em>ip</em> [ <em>port</em> ]</code></b><dd><p>Sets the credentials for the RADIUS-listener. After changing one of these
                     77: options, the RADIUS server  must be closed and re-opened for the changes to
                     78: take effect.</p>
                     79: <p>The default is '0.0.0.0 3799'.</p>
                     80: 
                     81: <dt><b><code>set radsrv peer <em>ip</em> <em>secret</em></code></b><dd><p>Defines additional AAA server, allowed to contact this NAS. After changing
                     82: one of these options, the RADIUS server  must be closed and re-opened for
                     83: the changes to take effect.</p>
                     84: 
                     85: <dt><b><code>set radsrv enable <em>option ...</em><br>
                     86: set radsrv disable <em>option ...</em></code></b><dd><p>These commands configure various RADIUS server options.</p>
                     87: 
                     88: <p>The <code><b>enable</b></code> and <code><b>disable</b></code> commands determine
                     89: whether we want the corresponding option.</p>
                     90: <p>The options available for the RADIUS server are:</p>
                     91: 
                     92: <dt><b><code>coa</code></b><dd><p>This option enables CoA-Request support on RADIUS server.</p>
                     93: <p>The default is enable.</p>
                     94: 
                     95: <dt><b><code>disconnect</code></b><dd><p>This option enables Disconnect-Request support on RADIUS server.</p>
                     96: <p>The default is enable.</p>
                     97: 
                     98: </dl>
                     99: 
                    100: Dynamic authorization RADIUS server receives three groups of attributes:
                    101: NAS identification (to be sure that request got to the right server),
                    102: session identification (to identify session that should be affected)
                    103: and session parameters (to describe new session state to set).
                    104: NAS and session identification attributes are native part of any
                    105: Disconnect or CoA request, while session parameters could be used only
                    106: with CoA. At least one session identification attribute must be present
                    107: in request. If there are several identification attributes present,
                    108: session should match all of them to be affected.</p>
                    109: <p>NAS identification attributes supported by mpd:
                    110: <pre>
                    111: N   Name
                    112: 4   NAS-IP-Address
                    113: </pre>
                    114: </p>
                    115: <p>Session identification attributes supported by mpd:
                    116: <pre>
                    117: N   Name
                    118: 1   User-Name
                    119: 5   NAS-Port
                    120: 8   Framed-IP-Address
                    121: 30  Called-Station-Id
                    122: 31  Calling-Station-Id
                    123: 44  Acct-Session-Id
                    124: 50  Acct-Multi-Session-Id
                    125: 
                    126:     mpd VSA (12341)
                    127: 12  mpd-link
                    128: 13  mpd-bundle
                    129: 14  mpd-iface
                    130: 15  mpd-iface-index
                    131: </pre>
                    132: </p>
1.1.1.2   misho     133: <p>Session parameters attributes supported by mpd:
1.1       misho     134: <pre>
                    135: N   Name
1.1.1.2   misho     136: 24  State
                    137: 25  Class
1.1       misho     138: 27  Session-Timeout
                    139: 28  Idle-Timeout
                    140: 85  Acct-Interim-Interval
                    141: 
                    142:     mpd VSA (12341)
                    143: 1   mpd-rule
                    144: 2   mpd-pipe
                    145: 3   mpd-queue
                    146: 4   mpd-table
                    147: 5   mpd-table-static
                    148: 7   mpd-filter
                    149: 8   mpd-limit
                    150: 16  mpd-input-acct
                    151: 17  mpd-output-acct
                    152: </pre>
                    153: </p>
                    154: <p>Received in CoA session parameters replace existing ones. If some parameter
                    155: is not received, it keeps it's previous value for standard attributes,
                    156: and getting cleared for mpd's VSAs.</p>
1.1.1.4 ! misho     157: <p>Note that CoA request always restarts Session and Idle timers for matching
1.1       misho     158: interfaces, and restarts Accounting Update timer for matching links, if new
                    159: value received.</p>
                    160: 
                    161: </dl>
                    162: </p>
                    163: 
                    164:  <HR NOSHADE>
1.1.1.4 ! misho     165: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
1.1       misho     166:  <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
                    167:  <b>:</b> <EM>Dynamic Authorization</EM><BR>
                    168: <b>Previous:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A><BR>
                    169: <b>Next:</b> <A HREF="mpd33.html"><EM>Traffic accounting</EM></A>
                    170: 
                    171: 
                    172: 
                    173: </BODY>
                    174: </HTML>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>