mpd5 radius атрибуты

mpd5 radius атрибуты:

N   Name                       	   Access	 Accounting
	                	Req	Resp	Req	Resp
1   User-Name			+	+	+	-
2   User-Password		+	-	-	-
3   CHAP-Password		+	-	-	-
4   NAS-IP-Address		+	-	+	-
5   NAS-Port			+	-	+	-
6   Service-Type		+	-	+	-
7   Framed-Protocol		+	-	+	-
8   Framed-IP-Address		-	+	+	-
9   Framed-IP-Netmask		-	+	+	-
12  Framed-MTU			-	+	-	-
13  Framed-Compression		-	+	-	-
18  Reply-Message		-	+	-	-
22  Framed-Route		-	+	-	-
24  State			+	+	+	-
25  Class			-	+	+	-
27  Session-Timeout		-	+	-	-
28  Idle-Timeout		-	+	-	-
30  Called-Station-Id		+	-	+	-
31  Calling-Station-Id		+	-	+	-
32  NAS-Identifier		+	-	+	-
40  Acct-Status-Type		-	-	+	-
42  Acct-Input-Octets		-	-	+	-
43  Acct-Output-Octets		-	-	+	-
44  Acct-Session-Id		+	-	+	-
45  Acct-Authentic		-	-	+	-
46  Acct-Session-Time		-	-	+	-
47  Acct-Input-Packets		-	-	+	-
48  Acct-Output-Packets		-	-	+	-
49  Acct-Terminate-Cause	-	-	+	-
50  Acct-Multi-Session-Id	-	-	+	-
51  Acct-Link-Count		-	-	+	-
52  Acct-Input-Gigawords	-	-	+	-
53  Acct-Output-Gigawords	-	-	+	-
60  CHAP-Challenge		+	-	-	-
61  NAS-Port-Type		+	-	+	-
64  Tunnel-Type			+	-	+	-
65  Tunnel-Medium-Type		+	-	+	-
66  Tunnel-Client-Endpoint	+	-	+	-
67  Tunnel-Server-Endpoint	+	-	+	-
85  Acct-Interim-Interval	-	+	-	-
87  NAS-Port-Id			+	-	+	-
88  Framed-Pool			-	+	-	-
90  Tunnel-Client-Auth-ID	+	-	+	-
91  Tunnel-Server-Auth-ID	+	-	+	-
95  NAS-IPv6-Address		+	-	+	-
99  Framed-IPv6-Route		-	+	-	-

    Microsoft VSA (311)
1   MS-CHAP-Response		+	-	-	-
2   MS-CHAP-Error		-	+	-	-
7   MS-MPPE-Encryption-Policy	-	+	-	-
8   MS-MPPE-Encryption-Types	-	+	-	-
10  MS-CHAP-Domain		-	+	-	-
11  MS-CHAP-Challenge		+	-	-	-
12  MS-CHAP-MPPE-Keys		-	+	-	-
16  MS-MPPE-Send-Key		-	+	-	-
17  MS-MPPE-Recv-Key		-	+	-	-
25  MS-CHAP2-Response		+	-	-	-
26  MS-CHAP2-Success		-	+	-	-
28  MS-Primary-DNS-Server	-	+	-	-
29  MS-Secondary-DNS-Server	-	+	-	-
30  MS-Primary-NBNS-Server	-	+	-	-
31  MS-Secondary-NBNS-Server	-	+	-	-

    DSL Forum VSA (3561)
1   ADSL-Agent-Circuit-Id	+	-	+	-
2   ADSL-Agent-Remote-Id	+	-	+	-

    mpd VSA (12341)
1   mpd-rule			-	+	-	-
2   mpd-pipe			-	+	-	-
3   mpd-queue			-	+	-	-
4   mpd-table			-	+	-	-
5   mpd-table-static		-	+	-	-
6   mpd-filter			-	+	-	-
7   mpd-limit			-	+	-	-
8   mpd-input-octets		-	-	+	-
9   mpd-input-packets		-	-	+	-
10  mpd-output-octets		-	-	+	-
11  mpd-output-packets		-	-	+	-
12  mpd-link			+	-	+	-
13  mpd-bundle			-	-	+	-
14  mpd-iface			-	-	+	-
15  mpd-iface-index		-	-	+	-
16  mpd-input-acct		-	+	-	-
17  mpd-output-acct		-	+	-	-
18  mpd-action			-	+	-	-
154 mpd-drop-user		-	-	-	+

To use mpd VSA you should add such dictionary to your RADIUS server:

#----------------------------------------------------------
# dictionary.mpd                                                                                   
                                                                                                   
VENDOR          mpd             12341                                                              
                                                                                                   
BEGIN-VENDOR	mpd

ATTRIBUTE	mpd-rule	1	string
ATTRIBUTE	mpd-pipe	2	string
ATTRIBUTE	mpd-queue	3	string
ATTRIBUTE	mpd-table	4	string
ATTRIBUTE	mpd-table-static	5	string
ATTRIBUTE	mpd-filter	6	string
ATTRIBUTE	mpd-limit	7	string
ATTRIBUTE	mpd-input-octets	8	string
ATTRIBUTE	mpd-input-packets	9	string
ATTRIBUTE	mpd-output-octets	10	string
ATTRIBUTE	mpd-output-packets	11	string
ATTRIBUTE	mpd-link	12	string
ATTRIBUTE	mpd-bundle	13	string
ATTRIBUTE	mpd-iface	14	string
ATTRIBUTE	mpd-iface-index	15	integer
ATTRIBUTE	mpd-input-acct	16	string
ATTRIBUTE	mpd-output-acct	17	string
ATTRIBUTE	mpd-action	18	string
ATTRIBUTE	mpd-drop-user	154	integer

END-VENDOR	mpd
#----------------------------------------------------------

ipfw

mpd-table += «1=10.0.0.1»,
mpd-table += «1=10.0.0.15»,
mpd-pipe += «1=bw 10Kbyte/s»,
mpd-pipe += «5=bw 20Kbyte/s»,
mpd-rule += «1=pipe %p1 all from any to table\\(%t1\\) in»,
mpd-rule += «2=pipe %p5 all from table\\(%t1\\) to any out»,
mpd-rule += «100=allow all from any to any»,

When mpd receives these parameters it will call ipfw(8) to create firewall rules, pipes and queues with unique numbers starting from 10000 (configurable via ‘set global start…’). %rX, %pX, %qX, %tX macroses will be expanded within mpd-rule and mpd-queue. To the end of each rule will be added «via ngX» to make the rule apply only to that client’s networking interface.

As a result of this example we would get these commands executed:

ipfw table 32 add 10.0.0.1
ipfw table 32 add 10.0.0.15
ipfw pipe 10000 config bw 10Kbyte/s
ipfw pipe 10001 config bw 20Kbyte/s
ipfw add 10000 pipe 10000 all from any to table\(32\) in via ng0
ipfw add 10001 pipe 10001 all from table\(32\) to any out via ng0
ipfw add 10002 allow all from any to any via ng0

When the link goes down, all created rules will be removed.

Note: As soon as mpd executes ipfw commands using shell, shell’s special characters like «(» and «)» must be slashed.
ng_bpf/ng_car
Mpd can create complex per-interface traffic filtering/limiting engines inside netgraph when it is requested by mpd-filter and mpd-limit RADIUS attributes.

mpd-filter attribute is a packet filter declaration for using in mpd-limit. mpd-filter consists of two main parts: match/nomatch verdict and the condition. tcpdump (libpcap) expression syntax used for conditions.

mpd-filter: match|nomatch {condition}

mpd-limit attribute is an action which should be done for packet. It consists of two main parts: filter and action.

mpd-limit: {filter} {action}

Filter can be or «all» (any packet) or «fltX» (packets matching to specified mpd-filter).

filter: any|fltX

Action can be: «» (do nothing, just account), «pass» (stop processing and pass packet), «deny» (stop processing and drop packet), «rate-limit» (do Cisco-like rate-limit), «shape» (do simple RED aware traffic shaping).

Actions «rate-limit» and «shape» can have optional «pass» suffix to stop processing after doing this action.

action: | pass | deny | rate-limit {rate(bits/s)} [{normal burst(bytes)} [{extended burst(bytes)}]] [pass] | shape {rate(bits/s)} [{burst(bytes)}] [pass]

mpd-filter += «1#1=nomatch dst net 10.0.0.0/24»,
mpd-filter += «1#2=match dst net 10.0.0.0/8»,
mpd-filter += «2#1=nomatch src net 10.0.0.0/24»,
mpd-filter += «2#2=match src net 11.0.0.0/8»,
mpd-limit += «in#1=flt1 pass»,
mpd-limit += «in#2#Biz=all shape 64000 4000»,
mpd-limit += «out#1=flt2 pass»,
mpd-limit += «out#2#Biz=all rate-limit 1024000 150000 300000»,

As result, one ng_bpf node will be created to implement traffic filters and several (two for this example) ng_car nodes for traffic shaping and rate-limiting. Incoming traffic to 10.0.0.0/8 except 10.0.0.0/24 will be passed, other traffic will be shaped to 64Kbits/s. Outgoing traffic from 10.0.0.0/8 except 10.0.0.0/24 will be passed, all other will be limited to 1024Kbit/s. Also traffic that passed mpd-limit rules marked «Biz» will be accordingly accounted and present with that name in AAA accounting requests.

Dynamic Authorization

After session has been first time authorized by AAA subsystem, Mpd provides you several ways to affect it’s further operation. Process of affecting established session called dynamic authorization.

There are two types of dynamic authorization activities exist: Disconnect (terminate session, causing it’s graceful shutdown) and Change of Authorization, CoA (changing session operation parameters, such as speed, ACLs and so on, on-flight)

Mpd provides several different control interfaces, that can be used to implement dynamic authorization.
Control consoles

The basic method of controlling mpd is it’s STDIN and TCP consoles.

You can disconnect any session by connecting to console, selecting required session with any command for changing current context, such as: link, bundle, session, msession and so on, and using close command.
Web server

Mpd provides two Web interfaces: human (text/html) and binary (text/plain).

Human web interface allows you disconnect specified session just by clicking on respective [Close] link on the «Current status summary» web page on mpd built-in web server.

Binary web interface provides API for executing any of control console commands via HTTP request. For example, to disconnect session on link named L125 you may use such HTTP request: /bincmd?link%20L125&close
RADIUS accounting

Mpd provides simple, but non-standard method of disconnecting session using RADIUS accounting reply. To disconnect arbitrary session you may just include mpd-drop-user attribute with nonzero value into any accounting reply packet.

This method considered not to be completely reliable, as AAA receives no acknowledge that accounting reply packet was received by mpd. The only thing guarantied, is that on packet loss mpd will retry accounting sending for specified number of times before giveup.
Built-in RADIUS server

RFC 3576: «Dynamic Authorization Extensions to RADIUS» defines standard way to implement dynamic authorization. It defines two additional RADIUS request types: Disconnect-Request and CoA-Request, to be sent from AAA server to dedicated UDP port on NAS with regular RADIUS protocol.

To have this function working, mpd should be built with libradius library, having RADIUS server functionality (FreeBSD 7/8-STABLE after 2009-10-30).

This chapter describes commands that configure mpd’s built-in RADIUS server. All of these commands are executed in global context.

set radsrv open

Opens the RADIUS server, i.e., creates the listening UDP socket.

set radsrv close

Closes the RADIUS server, i.e., closes the listening UDP socket.

set radsrv self ip [ port ]

Sets the credentials for the RADIUS-listener. After changing one of these options, the RADIUS server must be closed and re-opened for the changes to take effect.

The default is ‘0.0.0.0 3799’.

set radsrv peer ip secret

Defines additional AAA server, allowed to contact this NAS. After changing one of these options, the RADIUS server must be closed and re-opened for the changes to take effect.

set radsrv enable option …
set radsrv disable option …

These commands configure various RADIUS server options.

The enable and disable commands determine whether we want the corresponding option.

The options available for the RADIUS server are:

coa

This option enables CoA-Request support on RADIUS server.

The default is enable.

disconnect

This option enables Disconnect-Request support on RADIUS server.

The default is enable.

Dynamic authorization RADIUS server receives three groups of attributes: NAS identification (to be sure that request got to the right server), session identification (to identify session that should be affected) and session parameters (to describe new session state to set). NAS and session identification attributes are native part of any Disconnect or CoA request, while session parameters could be used only with CoA. At least one session identification attribute must be present in request. If there are several identification attributes present, session should match all of them to be affected.

NAS identification attributes supported by mpd:

N Name
4 NAS-IP-Address

Session identification attributes supported by mpd:

N Name
1 User-Name
5 NAS-Port
8 Framed-IP-Address
30 Called-Station-Id
31 Calling-Station-Id
44 Acct-Session-Id
50 Acct-Multi-Session-Id

mpd VSA (12341)

12 mpd-link
13 mpd-bundle
14 mpd-iface
15 mpd-iface-index

Session parameners attributes supported by mpd:

N Name
27 Session-Timeout
28 Idle-Timeout
85 Acct-Interim-Interval

mpd VSA (12341)
1 mpd-rule
2 mpd-pipe
3 mpd-queue
4 mpd-table
5 mpd-table-static
7 mpd-filter
8 mpd-limit
16 mpd-input-acct
17 mpd-output-acct

Received in CoA session parameters replace existing ones. If some parameter is not received, it keeps it’s previous value for standard attributes, or getting cleared for mpd’s VSAs.

Nots, that CoA request always restarts Session and Idle timers for matching interfaces, and restarts Accounting Update timer for matching links, if new value received.


Comments to mpd5 radius атрибуты

  • I’ve said that least 4610010 times. The problem this like that is they are just too compilcated for the average bird, if you know what I mean

    a4610010 21.12.2011 03:41 Ответить

Leave a Comment

Ваш e-mail не будет опубликован. Обязательные поля помечены *

Загрузка...
Menu Title