This chapter describes commands that configure the Authentication
subsystem of LCP layer. All of these commands apply to the currently
active link. Mpd currently supports authentication against (tried
in this order) RADIUS, systems password database (master.passwd
),
OPIE and its integrated mpd.secrets
file.
set auth authname login
This command sets the authentication login name associated with
the link (in multi-link PPP, though each link is authenticated
individually, they all must use the same login name). The
login
must have a corresponding entry in
mpd.secrets
. The login
and password
are used when the peer requires us to authenticate ourselves.
set auth password password
This command is normally not necessary. It causes mpd to not
lookup the password corresponding to
login
in mpd.secrets
, but rather to use
password
instead. If you're too lazy to set up
mpd.secrets
and are only dialing out, you can use this
command instead.
set auth max-logins num
Limit the max. amount of concurrent logins with the same username. If set to zero, then this feature is disabled.
set auth acct-update seconds
Enables periodic accounting updates, if set to a value greater then zero.
set auth timeout seconds
Sets the timeout for the whole authentication process. It defaults to 40 seconds. Under some circumstances the value should be changed; it usually depends on the authentication backend and protocol. E.g. when using EAP with a slow RADIUS server this value should be increased.
set auth enable option ...
set auth disable option ...
The options available are:
internal
Enables authentication against the mpd.secrets
file.
Default enable
.
radius-auth
Enable authentication via RADIUS.
Default disable
.
radius-acct
Enable per link accounting via RADIUS.
Default disable
.
ext-auth
Enable authentication by calling external authentination script.
This method pretended to be a fullfeatured alternative to the
radius-auth
.
Path to that script must be specified using set auth extauth-script ...
command.
Default disable
.
ext-acct
Enable accounting by calling external script.
This method pretended to be a fullfeatured alternative to the
radius-acct
.
Path to that script must be specified using set auth extaacct-script ...
command.
Default disable
.
system
Enables authentication against the systems password database.
This options can only be used with PAP and MS-CHAP, but not
with CHAP-MD5. If you intend to use this with MS-CHAP, then
the passwords in the master.passwd
must be NT-Hashes.
You can enable this by putting :passwd_format=nth:
into
your /etc/login.conf
, but you need at least FreeBSD 5.2.
Default disable
.
opie
Enables authentication using OPIE.
When using PAP there is nothing more todo. For all other
authentication protocols you have to put the username into
the mpd.secrets
file, but the specified password is
then interpreted as secret pass phrase. This is needed, because
Mpd must be aware of the plaintext password when using CHAP.
The (windows) endusers could generate their actual responses
themselfs using Winkey.
IMPORTANT: Disable the internal authentication when using
OPIE and CHAP, because otherwise users are also able to authenticate
with their secret pass phrase.
Default disable
.
utmp-wtmp
Enable accounting via utmp/wtmp.
Default disable
.