MAX-Monthly-Traffic V2 Post.
Sajeewa Warnakulasuriya
sajeewaw at ispone.com.au
Thu Aug 20 00:52:34 CEST 2009
The session counter works where it sets session-timeout value when the
user first authenticates and NAS disconnects the user when the session
exceeds this value and not the RADIUS.
For the below to work your NAS must be able to disconnect the USER the
same way as above but be able to track the traffic for the session and
initiate the disconnection from the NAS.
As Alexandre suggested CoA is a better idea.
Regards,
Sajeewa Warnakulasuriya
Systems Development Manager
ispONE is a wholesale ISP built to help internet access resellers and
independent ISPs to compete in the Australian marketplace through
ONE Brand, ONE Provider, ONE Solution.
Level 14
520 Collins Street
Melbourne 3000 VIC
Phone: 1300 663 400
Fax: 1300 665 400
E-Mail: sajeewaw at ispone.com.au
Web: http://www.ispone.com.au/
On Wed, 19 Aug 2009, Alexandre Chapellon wrote:
> You are expecting an interim update to send session-timeout to your nas
> so it disconnect your user?
> If so, two things seems incorrect to me.
>
> 1- You're measuring traffic volume and want disconnection to set
> based on time (session-timout)... a bit tricky isn't it?
>
> 2- I think the attribute "Session-Timeout" cannot be found in
> interim-updates packets (maybe I'm wrong), rfc 2869 specify that: "It
> is envisioned that an Interim Accounting record (with Acct-Status-Type =
> Interim-Update (3)) would contain all of the attributes normally found
> in an Accounting Stop message with the exception of the
> Acct-Term-Cause attribute."
>
> What you would need is an attribute known by your nas and representing
> remaining traffic. That attrbute should be sent at acct-start time and
> would trigger a disconnection from the NAS when traffic limit is
> reached. If such a attribute does not exists for your NAS, you should
> take a look at CoA server.
> Maybe someone have better idea...?
>
> Le mercredi 19 août 2009 à 15:56 +0100, Neville a écrit :
>
>> Hi everyone,
>>
>> I've decided to submit this question again as it was not quite worded
>> correctly, and to send as PLAIN TEXT.
>>
>> I'm trying to setup a new counter maxmonthlytraffic, which uses the same
>> method to disconnect a user by sending the Session-Timout Reply Atrribute as
>> with MAX-ALL-Sessions.
>>
>> This is what I've done so far...
>>
>> I've added to ./raddb/sql/mysql/counter.conf
>>
>> sqlcounter monthlytraffic {
>> counter-name = Monthly-Traffic
>> check-name = Max-Monthly-Traffic
>> sqlmod-inst = sql
>> key = User-Name
>> reset = monthly
>>
>> query = "SELECT (sum(acctinputoctets)+sum(acctoutputoctets))
>> \
>> FROM radacct WHERE username='%{%k}' AND \
>> Month(acctstoptime) =(Month(NOW())) AND \
>> Year(acctstoptime) = Year(NOW())"
>> }
>>
>> authorize {
>> .
>> monthlytraffic
>> .
>> }
>>
>> instantiate {
>> .
>> monthlytraffic
>> .
>> }
>>
>> created a dictionary entry in daloradius database of:-
>>
>> id 9433
>> Type integer
>> Attribute Max-Monthly-Traffic
>> Value NULL
>> Format NULL
>> Vendor dictionary.freeradius.internal
>> RecommendedOP :=
>> RecommendedTable check
>> RecommendedHelper
>> RecommendedTooltip Check Monthly Traffic Allowance
>>
>> User created as "testmaxm", with the following attributes set:-
>>
>> Check
>> Simultaneous-Use := 1
>> Pool-Name := tvpool
>> Cleartext-Password := testmaxm
>> Max-Monthly-Traffic := 10490000 (10Mb) (If this is removed from the
>> Check, the user connects fine, so everything else is working)
>>
>> Reply
>> Framed-MTU = 1400
>> Framed-Protocol = PPP
>> Service-Type = Framed-User
>> Acct-Interim-Interval := 300 (Every 5 mins for testing)
>> =====
>>
>>
>> Although this seems to be working on the initial Connection, it does not
>> send the Session Time Out Reply during the Interim Acct Updates if the Usage
>> has execeed.
>>
>>> From the Debug below, the usages is shown as "37940156" during a Acct
>> Update e.g. 906612 + 3733544 and is more than the initial check value of
>> Max-Monthly-Traffic := 10490000, so I would have expected a Session-Timout
>> Reply to be sent.
>>
>> However this is working ok on disconnect and reconnect, as I get...
>>
>> rlm_sqlcounter: (Check item - counter) is less than zero
>> rlm_sqlcounter: Rejected user testmaxm, check_item=10490000,
>> counter=89021682
>> ++[monthlytraffic] returns reject
>> Invalid user (rlm_sqlcounter: Maximum monthly usage time reached):
>> [testmaxm/<via Auth-Type = mschap>] (from client VPN1-UK port 1)
>>
>> rlm_sqlcounter: (Check item - counter) is less than zero
>> rlm_sqlcounter: Rejected user testmaxm, check_item=10490000,
>> counter=89021682
>> ++[monthlytraffic] returns reject
>> Invalid user (rlm_sqlcounter: Maximum monthly usage time reached):
>> [testmaxm/<via Auth-Type = mschap>] (from client VPN1-UK port 1)
>>
>> Any Ideas why I did not get disconnect during the original session as this
>> is what I'm after.
>>
>>
>> FreeRadius2 Debug
>>
>> .
>> .
>> rlm_sqlcounter: Check item is greater than query result
>> rlm_sqlcounter: Authorized user testmaxm, check_item=10490000, counter=80411
>> rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout,
>> value=11601138
>> ++[monthlytraffic] returns ok
>> .
>> .
>>
>> rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637,
>> id=47, length=140
>> Acct-Session-Id = "4A8B6FA0721900"
>> User-Name = "testmaxm"
>> Acct-Status-Type = Interim-Update
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Acct-Authentic = RADIUS
>> Acct-Session-Time = 600
>> Acct-Output-Octets = 37033544
>> Acct-Input-Octets = 906612
>> Acct-Output-Packets = 27837
>> Acct-Input-Packets = 15791
>> NAS-Port-Type = Async
>> Framed-IP-Address = 192.168.0.29
>> NAS-Identifier = "aaa.bbb.ccc.ddd"
>> NAS-Port = 1
>> Acct-Delay-Time = 0
>> +- entering group preacct {...}
>> ++[preprocess] returns ok
>> [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
>> 193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
>> "4A8B6FA0721900",User-Name = "testmaxm"'
>> [acct_unique] Acct-Unique-Session-ID = "049e959019a363e4".
>> ++[acct_unique] returns ok
>> [suffix] No '@' in User-Name = "testmaxm", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> +- entering group accounting {...}
>> [detail] expand:
>> /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
>> /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
>> [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
>> to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
>> [detail] expand: %t -> Wed Aug 19 03:31:04 2009
>> ++[detail] returns ok
>> rlm_sql (sql): Reserving sql socket id: 1
>> [sqlippool] expand: %{User-Name} -> testmaxm
>> [sqlippool] sql_set_user escaped user --> 'testmaxm'
>> [sqlippool] expand: START TRANSACTION -> START TRANSACTION
>> rlm_sql_mysql: query: START TRANSACTION
>> [sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL
>> 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
>> '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
>> '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' ->
>> UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE
>> nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username =
>> 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29'
>> rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL
>> 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND
>> username = 'testmaxm' AND callingstationid = '' AND framedipaddress =
>> '192.168.0.29'
>> [sqlippool] expand: COMMIT -> COMMIT
>> rlm_sql_mysql: query: COMMIT
>> rlm_sql (sql): Released sql socket id: 1
>> ++[sqlippool] returns ok
>> [sql] expand: %{User-Name} -> testmaxm
>> [sql] sql_set_user escaped user --> 'testmaxm'
>> [sql] expand: %{Acct-Input-Gigawords} ->
>> [sql] expand: %{Acct-Input-Octets} -> 906612
>> [sql] expand: %{Acct-Output-Gigawords} ->
>> [sql] expand: %{Acct-Output-Octets} -> 37033544
>> [sql] expand: UPDATE radacct SET
>> framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
>> '%{Acct-Session-Time}', acctinputoctets =
>> '%{%{Acct-Input-Gigawords}:-0}' << 32 |
>> '%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
>> '%{%{Acct-Output-Gigawords}:-0}' << 32 |
>> '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
>> '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}'
>> AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct
>> SET framedipaddress = '192.168.0.29',
>> acctsessiontime = '600', acctinputoctets = '0' << 32 |
>> '906612', acctoutputoctets = '0' << 32 |
>> '37033544' WHERE acctsessionid = '4A8B6FA0721900' AND
>> username = 'testmaxm'
>> [sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
>> rlm_sql (sql): Reserving sql socket id: 0
>> rlm_sql_mysql: query: UPDATE radacct SET
>> framedipaddress = '192.168.0.29', acctsessiontime = '600',
>> acctinputoctets = '0' << 32 |
>> '906612', acctoutputoctets = '0' << 32 |
>> '37033544' WHERE acctsessionid = '4A8B6FA0721900' AND
>> username = 'testmaxm' AND nasipaddress =
>> 'aaa.bbb.ccc.ddd'
>> rlm_sql (sql): Released sql socket id: 0
>> ++[sql] returns ok
>> [attr_filter.accounting_response] expand: %{User-Name} -> testmaxm
>> attr_filter: Matched entry DEFAULT at line 12
>> ++[attr_filter.accounting_response] returns updated
>> Sending Accounting-Response of id 47 to aaa.bbb.ccc.ddd port 53637
>> Finished request 16.
>> Cleaning up request 16 ID 47 with timestamp +1965
>> Going to the next request
>> Ready to process requests.
>>
>>
>> Thx
>> Nev
>>
>> ================
>> CentOS 5.3
>> pptpd 1.3.4 / ppp 2.4.4
>> freeradius2 2.1.6
>> radiusclient-ng 0.5.6
>> daloRadius 0.9-8-SVN
>> ================
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list