usage counter....

Jan Mulders lastchancehotel at gmail.com
Sat May 19 17:39:31 CEST 2007 

Yeah, I found a method to do this. It involves configuring your NAS to
reauthenticate the user every 20 minutes or so (I use OpenVPN with a NAS
plugin, it does key renegotiation every 20 minutes so this is ideal for me),
and using a Perl script with rlm_perl to do your own calculations. Read
below to see how to make it work with a NAS that doesn't periodically
renegotiate, and supports Packet of Disconnection.

My Perl script does a query to find the bytes used for each user (I also
specify date/time requirements, but this isn't shown here):

SELECT SUM(inputoctets + outputoctets) FROM radacct WHERE
username='$username'';

Then you can make it compare it with the user's user-group attribute, eg:

$result = SELECT SUM(inputoctets + outputoctets) FROM radacct WHERE
username='$username'';
$bytesused = $result[0];

if ($check['user-group' == "heavyusers")
{
   # give the user full speed service if their byte usage is below 100GB
  if $bytesused < 100000000
   {
   return AUTH_OK;
   }
   else
   {
   return AUTH_REJECT;
   }
}

...and repeat as neccassary. (note, this is off the top of my head with no
reference to the rlm_perl script I use, so some values will likely be fuzzy
or outright wrong)

This way, I didn't have to hack around with complicated, awkward modules in
FreeRADIUS - all I needed to do was move the functionality and
decisionmaking logic to Perl. This saved me -days- of work, and is very
flexible.

It all depends on what methods you have to enforce user disconnection: I was
lucky enough to be able to ask for the creator of the OpenVPN plugin to add
an 'reauthenticate every 20 minutes' option, which if it failed, booted the
user off the NAS. Read your NAS documentation: specifically, look for
if/when it reauthenticates, and if it supports Packet-Of-Disconnection. If
it does support PoD, then you can easily add this functionality to the Perl
script that runs on accounting, and it'll work just fine without periodic
reauthentications.

Hope this helps!

Jan
On 19/05/07, Trio Yulistianto <trioy99 at gmail.com> wrote:
>
> so.. its mean that freeradius not yet supporting about this limit ?
> so i have to ask mikrotik ?
>
> 2007/5/18, tnt at kalik.co.yu < tnt at kalik.co.yu>:
> >
> > With a bit of gymnastics it can be done. You can run an outside program
> > on accounting updates checking Octet total - if it goes over the limit
> > it can send PoD (if Mikrotik supports this). But is it worth it? How
> > much over the limit can they go in one session (you are setting a
> > monthly limit)? Think about limiting sessions with Session-Timeout as
> > well.
> >
> > Or "simply" ask Mikrotik to introduce Mikrotik-Total-Limit VSA. If
> > enough people request it ...
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > Dana 18/5/2007, "Trio Yulistianto" < trioy99 at gmail.com> piše:
> >
> > >yupes you are right... it can't stop user from going over the limit,
> > >but i need to kick while the limit reached as time session...
> > >any body success with this ? please tell me how
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070519/10642ff4/attachment.html>

More information about the Freeradius-Users mailing list