4.12. Auth commands

This chapter describes commands that configure the Authentication subsystem of LCP layer. All of these commands apply to the currently active link. Mpd currently supports authentication against (tried in this order) RADIUS, systems password database (master.passwd), OPIE and its integrated mpd.secrets file.

set auth authname login

This command sets the authentication login name associated with the link (in multi-link PPP, though each link is authenticated individually, they all must use the same login name). The login must have a corresponding entry in mpd.secrets. The login and password are used when the peer requires us to authenticate ourselves.

set auth password password

This command is normally not necessary. It causes mpd to not lookup the password corresponding to login in mpd.secrets, but rather to use password instead. If you're too lazy to set up mpd.secrets and are only dialing out, you can use this command instead.

max-logins num

Limit the max. amount of concurrent logins with the same username. If set to zero, then this feature is disabled.

acct-update seconds

Enables periodic accounting updates, if set to a value greater then zero.

timeout seconds

Sets the timeout for the whole authentication process. It defaults to 40 seconds. Under some circumstances the value should be changed; it usually depends on the authentication backend and protocol. E.g. when using EAP with a slow RADIUS server this value should be increased.


set auth enable option ...
set auth disable option ...

The options available are:

internal

Enables authentication against the mpd.secrets file.

Default enable.

radius-auth

Enable authentication via RADIUS.

Default disable.

radius-acct

Enable per link accounting via RADIUS.

Default disable.

system

Enables authentication against the systems password database. This options can only be used with PAP and MS-CHAP, but not with CHAP-MD5. If you intend to use this with MS-CHAP, then the passwords in the master.passwd must be NT-Hashes. You can enable this by putting :passwd_format=nth: into your /etc/login.conf, but you need at least FreeBSD 5.2.

Default disable.

opie

Enables authentication using OPIE. When using PAP there is nothing more todo. For all other authentication protocols you have to put the username into the mpd.secrets file, but the specified password is then interpreted as secret pass phrase. This is needed, because Mpd must be aware of the plaintext password when using CHAP. The (windows) endusers could generate their actual responses themselfs using Winkey.
IMPORTANT: Disable the internal authentication when using OPIE and CHAP, because otherwise users are also able to authenticate with their secret pass phrase.

Default disable.

utmp-wtmp

Enable accounting via utmp/wtmp.

Default disable.