1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2: <HTML>
3: <HEAD>
4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
5: <TITLE>Dynamic Authorization</TITLE>
6: </HEAD>
7: <BODY text="#000000" bgcolor="#ffffff">
8:
9: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
10: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
11: <b>:</b> <EM>Dynamic Authorization</EM><BR>
12: <b>Previous:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A><BR>
13: <b>Next:</b> <A HREF="mpd33.html"><EM>Traffic accounting</EM></A>
14:
15:
16: <HR NOSHADE>
17: <H2><A NAME="32"></A>4.11. Dynamic Authorization<A NAME="dynauth"></A></H2>
18:
19: <p>After session has been first time authorized by AAA subsystem,
20: Mpd provides you several ways to affect it's further operation.
21: Process of affecting established session called dynamic authorization.</p>
22: <p>There are two types of dynamic authorization activities exist:
23: Disconnect (terminate session, causing it's graceful shutdown)
24: and Change of Authorization, CoA (changing session operation
25: parameters, such as speed, ACLs and so on, on-flight)</p>
26: <p>
27: <dl>
28: <p>Mpd provides several different control interfaces, that can be used
29: to implement dynamic authorization.</p>
30:
31: <dt><b>Control consoles</b><dd><p>The basic method of controlling mpd is it's STDIN and TCP
32: <b>
33: <A HREF="mpd40.html#console">consoles</A></b>.</p>
34: <p>You can disconnect any session by connecting to console, selecting
35: required session with any command for changing current context, such
36: as: <em>link</em>, <em>bundle</em>, <em>session</em>, <em>msession</em>
37: and so on, and using <em>close</em> command.</p>
38:
39: <dt><b>Web server</b><dd><p>Mpd provides two <b>
40: <A HREF="mpd41.html#web">Web</A></b> interfaces:
41: human (text/html) and binary (text/plain).</p>
42: <p>Human web interface allows you disconnect specified session just by
43: clicking on respective <em>[Close]</em> link on the
44: "Current status summary" web page on mpd built-in web server.</p>
45: <p>Binary web interface provides API for executing any of control console
46: commands via HTTP request. For example, to disconnect session on
47: link named L125 you may use such HTTP request:
48: <em>/bincmd?link%20L125&close</em></p>
49:
50: <dt><b>RADIUS accounting</b><dd><p>Mpd provides simple, but non-standard method of disconnecting session
51: using <b>
52: <A HREF="mpd30.html#radius">RADIUS</A></b> accounting reply.
53: To disconnect arbitrary session you may just include <em>mpd-drop-user</em>
54: attribute with nonzero value into any accounting reply packet.</p>
55: <p>This method considered not to be completely reliable, as AAA receives
56: no acknowledge that accounting reply packet was received by mpd. The
57: only thing guarantied, is that on packet loss mpd will retry accounting
58: sending for specified number of times before giveup.</p>
59:
60: <dt><b>Built-in RADIUS server</b><dd><p>RFC 3576: "Dynamic Authorization Extensions to RADIUS" defines standard
61: way to implement dynamic authorization. It defines two additional RADIUS
62: request types: Disconnect-Request and CoA-Request, to be sent from AAA
63: server to dedicated UDP port on NAS with regular RADIUS protocol.</p>
64: <p>To have this function working, mpd should be built with <em>libradius</em>
65: library, having RADIUS server functionality (FreeBSD 7/8-STABLE after
66: 2009-10-30).</p>
67: <p>This chapter describes commands that configure mpd's built-in RADIUS
68: server. All of these commands are executed in global context.</p>
69: <p>
70: <dl>
71:
72: <dt><b><code>set radsrv open</code></b><dd><p>Opens the RADIUS server, i.e., creates the listening UDP socket.</p>
73:
74: <dt><b><code>set radsrv close</code></b><dd><p>Closes the RADIUS server, i.e., closes the listening UDP socket.</p>
75:
76: <dt><b><code>set radsrv self <em>ip</em> [ <em>port</em> ]</code></b><dd><p>Sets the credentials for the RADIUS-listener. After changing one of these
77: options, the RADIUS server must be closed and re-opened for the changes to
78: take effect.</p>
79: <p>The default is '0.0.0.0 3799'.</p>
80:
81: <dt><b><code>set radsrv peer <em>ip</em> <em>secret</em></code></b><dd><p>Defines additional AAA server, allowed to contact this NAS. After changing
82: one of these options, the RADIUS server must be closed and re-opened for
83: the changes to take effect.</p>
84:
85: <dt><b><code>set radsrv enable <em>option ...</em><br>
86: set radsrv disable <em>option ...</em></code></b><dd><p>These commands configure various RADIUS server options.</p>
87:
88: <p>The <code><b>enable</b></code> and <code><b>disable</b></code> commands determine
89: whether we want the corresponding option.</p>
90: <p>The options available for the RADIUS server are:</p>
91:
92: <dt><b><code>coa</code></b><dd><p>This option enables CoA-Request support on RADIUS server.</p>
93: <p>The default is enable.</p>
94:
95: <dt><b><code>disconnect</code></b><dd><p>This option enables Disconnect-Request support on RADIUS server.</p>
96: <p>The default is enable.</p>
97:
98: </dl>
99:
100: Dynamic authorization RADIUS server receives three groups of attributes:
101: NAS identification (to be sure that request got to the right server),
102: session identification (to identify session that should be affected)
103: and session parameters (to describe new session state to set).
104: NAS and session identification attributes are native part of any
105: Disconnect or CoA request, while session parameters could be used only
106: with CoA. At least one session identification attribute must be present
107: in request. If there are several identification attributes present,
108: session should match all of them to be affected.</p>
109: <p>NAS identification attributes supported by mpd:
110: <pre>
111: N Name
112: 4 NAS-IP-Address
113: </pre>
114: </p>
115: <p>Session identification attributes supported by mpd:
116: <pre>
117: N Name
118: 1 User-Name
119: 5 NAS-Port
120: 8 Framed-IP-Address
121: 30 Called-Station-Id
122: 31 Calling-Station-Id
123: 44 Acct-Session-Id
124: 50 Acct-Multi-Session-Id
125:
126: mpd VSA (12341)
127: 12 mpd-link
128: 13 mpd-bundle
129: 14 mpd-iface
130: 15 mpd-iface-index
131: </pre>
132: </p>
133: <p>Session parameters attributes supported by mpd:
134: <pre>
135: N Name
136: 24 State
137: 25 Class
138: 27 Session-Timeout
139: 28 Idle-Timeout
140: 85 Acct-Interim-Interval
141:
142: mpd VSA (12341)
143: 1 mpd-rule
144: 2 mpd-pipe
145: 3 mpd-queue
146: 4 mpd-table
147: 5 mpd-table-static
148: 7 mpd-filter
149: 8 mpd-limit
150: 16 mpd-input-acct
151: 17 mpd-output-acct
152: </pre>
153: </p>
154: <p>Received in CoA session parameters replace existing ones. If some parameter
155: is not received, it keeps it's previous value for standard attributes,
156: and getting cleared for mpd's VSAs.</p>
157: <p>Note that CoA request always restarts Session and Idle timers for matching
158: interfaces, and restarts Accounting Update timer for matching links, if new
159: value received.</p>
160:
161: </dl>
162: </p>
163:
164: <HR NOSHADE>
165: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
166: <b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
167: <b>:</b> <EM>Dynamic Authorization</EM><BR>
168: <b>Previous:</b> <A HREF="mpd31.html"><EM>External authentication</EM></A><BR>
169: <b>Next:</b> <A HREF="mpd33.html"><EM>Traffic accounting</EM></A>
170:
171:
172:
173: </BODY>
174: </HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mpd32.html CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc