This chapter describes commands that configure the RADIUS authentication backend. All of these commands apply to the currently active bundle.
set radius server name secret [ auth-port [ acct-port ]]Configure RADIUS server parameters. Multiple RADIUS servers may be configured by repeating this command, and up to 10 servers may be specified.
set radius timeout secondsSet the timeout for completion of RADIUS requests.
set radius retries #retriesSet the number of retries for RADIUS requests.
set radius me IP|ifname|hostnameSend the given IP in the RAD_NAS_IP_ADDRESS attribute to the server
set radius v6me IPv6Send the given IP in the RAD_NAS_IPV6_ADDRESS attribute to the server
set radius enable message-authenticAdds the Message-Authenticator attribute to the RADIUS request. The Message-Authenticator is an HMAC-MD5 checksum of the entire Access-Request packet using the shared secret as the key. This should protect the RADIUS server against online dictionary attacks. This is mandatory when using the EAP-RADIUS-Proxy and it's implicitly added to the request by Mpd.
set radius enable peer-as-callingForces mpd to send remote tunnel address in Calling-Station-Id instead of addres supplied by remote peer via tunnel (for PPTP and L2TP). Can be disabled for trusted peers. Default is enabled.
All authentication methods are supported (PAP, CHAP, MS-CHAPv1, MS-CHAPv2). Password changing is currently not supported.
There are some minor problems:
quit on the console, Account-stop will not be sent.Mpd automatically uses attributes like MTU, Idle-Timeout, IP-Address, etc. if they are transmitted by the RADIUS server.
Note: Its possible to use RADIUS-Accounting without RADIUS-Authentication.
The following attributes are set when doing accounting requests:
RAD_FRAMED_IP_ADDRESS
RAD_ACCT_STATUS_TYPE
RAD_ACCT_SESSION_ID
RAD_ACCT_MULTI_SESSION_ID
RAD_USER_NAME
RAD_ACCT_LINK_COUNT
RAD_ACCT_AUTHENTIC
RAD_ACCT_TERMINATE_CAUSE
RAD_ACCT_INPUT_OCTETS
RAD_ACCT_INPUT_PACKETS
RAD_ACCT_OUTPUT_OCTETS
RAD_ACCT_OUTPUT_PACKETS
RAD_ACCT_INPUT_GIGAWORDS
RAD_ACCT_OUTPUT_GIGAWORDS
RAD_ACCT_SESSION_TIME
Mpd can use the Access Control Lists (ACLs) taken from the RADIUS server. This ACLs may include ipfw rules, dummynet pipes and dummynet queues. To use this feature you should add to your RADIUS server such dictionary:
#----------------------------------------------------------
# dictionary.mpd
VENDOR mpd 12341
ATTRIBUTE mpd-rule 1 string mpd
ATTRIBUTE mpd-pipe 2 string mpd
ATTRIBUTE mpd-queue 3 string mpd
ATTRIBUTE mpd-table 4 string mpd
ATTRIBUTE mpd-table-static 5 string mpd
#----------------------------------------------------------
After this you can write in your RADIUS configuration something like:
mpd-table += "1=10.0.0.1", mpd-table += "1=10.0.0.15", mpd-pipe += "1=bw 10Kbyte/s", mpd-pipe += "5=bw 20Kbyte/s", mpd-rule += "1=pipe %p1 all from any to table(%t) in", mpd-rule += "2=pipe %p5 all from table(%t) to any out", mpd-rule += "100=allow all from any to any",
When mpd receives these parameters it will call ipfw(8) to create firewall rules, pipes and queues with unique numbers starting from 10000 (configurable via 'set global start...'). To the end of each rule will be added "via ngX" to make the rule apply only to that client's networking interface.
As a result of this example we would get these commands executed:
ipfw table 32 add 10.0.0.1 ipfw table 32 add 10.0.0.15 ipfw pipe 10000 config bw 10Kbyte/s ipfw pipe 10001 config bw 20Kbyte/s ipfw add 10000 pipe 10000 all from any to table(32) in via ng0 ipfw add 10001 pipe 10001 all from table(32) to any out via ng0 ipfw add 10002 allow all from any to any via ng0
When the link goes down, all created rules will be removed.