auth.texi

gnu 的radius服务器很好用的

@c This is part of the Radius manual.
@c Copyright (C) 1999,2000,2001,2002,2003,2004 Free Software Foundation, Inc.
@c Written by Sergey Poznyakoff
@c See file radius.texi for copying conditions.
@comment *******************************************************************
@node Authentication, Accounting, Request Comparison, Top
@chapter Authentication

An @dfn{Authentication Type} specifies which credentials the user
is required to supply in order to be authenticated and where the
user's authentication data are stored. It is defined by the value
of @attr{Auth-Type} attribute in @LHS{} of a @file{users} entry.

@menu
* Accept Auth::                   Accept unconditionally.
* Reject Auth::                   Reject unconditionally.
* Local Password Auth::           Authenticate using plaintext password.
* Encrypted Password Auth::       Authenticate using MD5 encrypted password.
* System Auth::                   Authenticate using system account.
* SQL Auth::                      Authenticate using SQL.
* PAM Auth::                      Authenticate using PAM.
* Custom Auth::                   Defining Custom Authentication Types.
* Multiple Login Checking::       Checking for Simultaneous Logins.
* Auth Probing::                  Controlling Authentication Probes 

@end menu

@comment *L2****************************************************************
@node Accept Auth
@section Accept Authentication Type
@cindex Accept Authentication Type
@cindex Guest accounts, setting up
@exindex Guest accounts, setting up

@dfn{Accept} is the simplest authentication type. Users with this
authentication type will be authenticated successfully without checking
any credentials. Actually this means that only username
is required for authentication.

This authentication type is used for each @file{users} entry, whose
@LHS{} contains

@smallexample
Auth-Type = Accept
@end smallexample
@noindent

This authentication type can be used for guest accounts, e.g. the
following profile in @file{users}:

@smallexample
@group
guest   Auth-Type = Accept,
                Simultaneous-Use = 10
        Service-Type = Framed-User,
                Framed-Protocol = PPP
@end group
@end smallexample

@noindent
allows up to 10 simultaneous guest PPP accounts. To log in using such
guest account it is sufficient to use username @samp{guest} and any
password.

@comment *L2****************************************************************
@node Reject Auth
@section Reject Authentication Type
@cindex Reject Authentication Type
@cindex Disabling user accounts

The @dfn{Reject} authentication type causes the request to be rejected
unconditionally. It can be used to disable a user account (For another
method of disabling user accounts, @pxref{access.deny file}).

This authentication type is used for each @file{users} entry, whose
@LHS{} contains

@smallexample
Auth-Type = Reject
@end smallexample

@comment *L2****************************************************************
@node Local Password Auth
@section Local Password Authentication Type
@cindex Local Password Auth
@cindex CHAP

The @dfn{Local Password} authentication type allows to keep plaintext
user passwords. Although the use of this authentication type is strongly
discouraged for security reasons, this is the only
authentication type that can be used with @acronym{CHAP} authentication.

There are two ways of using this authentication type

@subheading Specifying Passwords in users File.
To keep the plaintext passwords in @file{users} file, the profile
entry must follow this pattern:

@smallexample
@group
@var{user-name}  Auth-Type = Local,
                     User-Password = @var{plaintext}
@end group
@end smallexample

The @var{plaintext} is the user's plaintext password. Obviously,
@var{user-name} may not be @code{DEFAULT} nor @code{BEGIN}.

@subheading Specifying Passwords in SQL Database.

@smallexample
@group
@var{user-name}   Auth-Type = Local,
                      Password-Location = SQL
@end group
@end smallexample

When the user is authenticated using such profile, its password
is retrieved from the authentication database using @code{auth_query}.
The configuration of @acronym{SQL} authentication is described in
detail in @ref{Authentication Server Parameters}.

@comment *L2****************************************************************
@node Encrypted Password Auth
@section Encrypted Password Authentication Type
@cindex Encrypted Password Authentication Type

The @dfn{Encrypted Password} type allows to keep user's passwords
encrypted via @acronym{DES} or @acronym{MD5} algorithm. There are
two ways of using this authentication type.

@subheading Specifying Passwords in users File.

@smallexample
@var{user-name}  Auth-Type = Crypt-Local,
                     User-Password = @var{crypt-pass}
@end smallexample
@noindent

The @attr{Crypt-Password} is a shortcut for the above notation:

@smallexample
@var{user-name}  Crypt-Password = @var{crypt-pass}
@end smallexample

@subheading Specifying Passwords in SQL Database.

@smallexample
@group
@var{user-name}   Auth-Type = Crypt-Local,
                      Password-Location = SQL
@end group
@end smallexample

Using this profile, the user's password is retrieved from the
authentication database using @code{auth_query}.
The configuration of @acronym{SQL} authentication is described in
detail on @ref{Authentication Server Parameters}.

The shortcut for this notation is @code{Auth-Type = SQL}.

In any case, the passwords used with this authentication type
must be either @acronym{DES} or @acronym{MD5} hashed.

@comment *L2****************************************************************
@node System Auth
@section System Authentication Type
@cindex System Authentication Type

The @dfn{System} authentication type requires that the user
have a valid system account on the machine where the radius
server is running. The use of this type is triggered by setting

@smallexample
Auth-Type = System
@end smallexample
@noindent

in the @LHS{} of a @file{users} entry.

@comment *L2****************************************************************
@node SQL Auth
@section SQL Authentication Type
@cindex SQL Authentication Type

Setting @code{Auth-Type = SQL} or @code{Auth-Type = Mysql}
in the @LHS{} of a @file{users} entry is a synonym for

@smallexample
Auth-Type = Crypt-Local, Password-Location = SQL
@end smallexample
@noindent

and is provided as a shortcut and for backward compatibility with
previous versions of GNU Radius.

For description of @acronym{SQL} authentication, see @ref{Encrypted
Password Auth}. The configuration of @acronym{SQL} subsystem
is described in @ref{sqlserver file}.

@comment *L2****************************************************************
@node PAM Auth
@section PAM Authentication Type
@cindex PAM Authentication Type

@dfn{PAM} authentication type indicates that a user should be authenticated
using @acronym{PAM} (Pluggable Authentication Module) framework. The
simplest way of usage is:

@smallexample
Auth-Type = PAM
@end smallexample
@noindent

Any user whose @file{users} profile contains the above, will be
authenticated via @acronym{PAM}, using service name @samp{radius}.
If you wish to use another service name, set it using @attr{Auth-Data}
attribute, e.g.:

@smallexample
Auth-Type = PAM,
    Auth-Data = @var{pam-service}
@end smallexample

@comment *L2****************************************************************
@node Custom Auth
@section Defining Custom Authentication Types
@cindex Custom Authentication Types

The are three ways to define custom authentication types:

@enumerate 1
@item Write a @acronym{PAM} module.
@item Use a Guile procedure.
@item Use an external program
@end enumerate

You can write a @acronym{PAM} module implementing the new authentication
type. Then, specifying @code{Auth-Type = PAM} allows to apply
it (@pxref{PAM Auth}).

Alternatively, you may write a Scheme procedure implementing the new
authentication type. To apply it, use @attr{Scheme-Procedure} attribute
in @RHS{}. The @code{Auth-Type = Accept} can be used in @LHS{} if
the whole authentication burden is to be passed to the Scheme procedure.
For example, if one wrote a procedure @code{my-auth}, to apply it to
all users, one will place the following profile in his @file{users}
file:

@smallexample
@group
DEFAULT  Auth-Type = Accept
         Scheme-Procedure = "my-auth"
@end group
@end smallexample

For a discussion of how to write Scheme authentication procedures,
@xref{Authentication with Scheme}.

The third way to implement your own authentication method is using
an external program. This is less effective than the methods described
above, but may be necessary sometimes. To invoke the program, use
the following statement in the @RHS{} of @file{users} entry:

@smallexample
Exec-Program-Wait = "@var{progname} @var{args}"
@end smallexample
@noindent

The @var{progname} must be the full path to the program, @var{args} ---
any arguments it needs. The usual substitutions may be used in
@var{args} to pass any request attributes to the program
(@pxref{Macro Substitution}).

For a detailed description of @attr{Exec-Program-Wait} attribute and
an example of its use, see @ref{Exec-Program-Wait}.

@comment *L2****************************************************************
@node Multiple Login Checking
@section Multiple Login Checking
@cindex Multiple Login Checking
@cindex Simultaneous logins, checking for

The number of sessions a user can have open simultaneously can be
restricted by setting @attr{Simultaneous-Use} attribute in the user's
profile @LHS{} (@pxref{Simultaneous-Use}). By default the number
of simultaneous sessions is unlimited.

When a user with limited number of simultaneous logins authenticates
himself, Radius counts the number of the sessions that are already
opened by this user. If this number is equal to the value of
@attr{Simultaneous-Use} attribute the authentication request is
rejected.

This process is run in several stages. First, Radius retrieves the
information about currently opened sessions from one of its accounting
databases. Then, it verifies whether all these sessions are still
active. This pass is necessary since an open entry might be a result
of missing @code{Stop} request. Finally, the server counts the
sessions and compares their count with the value of
@attr{Simultaneous-Use} attribute.

The following subsections address each stage in detail.

@menu
* Retrieving Session Data::
* Verifying Active Sessions::
@end menu

@node Retrieving Session Data
@subsection Retrieving Session Data

Radius retrieves the list of sessions currently opened by the user
either from the system database (@pxref{System Accounting}), or from
the @acronym{SQL} database (@pxref{SQL Accounting}). The system administrator
determines which method to use.

By default, system accounting database is used. Its advantages are
simplicity and ease of handling. It has, however, a serious
deficiency: the information is kept in the local files. If you run
several radius servers, each of them has no easy way of knowing about
the sessions initiated by other servers.

This problem is easy to solve if you run @dfn{SQL accounting}
(@pxref{SQL Accounting}). In this case, each radius server stores the data in
your @acronym{SQL} database and can easily retrieve them from there.

To enable use of @acronym{SQL} database for multiple login checking, do the
following:

In your @file{raddb/config} file set:

@smallexample
mlc @{
    method sql;
@};
@end smallexample

In your @file{raddb/sqlserver} file, specify the queries for