Yeah, I found a method to do this. It involves configuring your NAS to reauthenticate the user every 20 minutes or so (I use OpenVPN with a NAS plugin, it does key renegotiation every 20 minutes so this is ideal for me), and using a Perl script with rlm_perl to do your own calculations. Read below to see how to make it work with a NAS that doesn't periodically renegotiate, and supports Packet of Disconnection.

My Perl script does a query to find the bytes used for each user (I also specify date/time requirements, but this isn't shown here):

SELECT SUM(inputoctets + outputoctets) FROM radacct WHERE username='$username'';

Then you can make it compare it with the user's user-group attribute, eg:

$result = SELECT SUM(inputoctets + outputoctets) FROM radacct WHERE username='$username'';
$bytesused = $result[0];

if ($check['user-group' == "heavyusers")
{
   # give the user full speed service if their byte usage is below 100GB
  if $bytesused < 100000000
   {
   return AUTH_OK;
   }
   else
   {
   return AUTH_REJECT;
   }
}

...and repeat as neccassary. (note, this is off the top of my head with no reference to the rlm_perl script I use, so some values will likely be fuzzy or outright wrong)

This way, I didn't have to hack around with complicated, awkward modules in FreeRADIUS - all I needed to do was move the functionality and decisionmaking logic to Perl. This saved me -days- of work, and is very flexible.

It all depends on what methods you have to enforce user disconnection: I was lucky enough to be able to ask for the creator of the OpenVPN plugin to add an 'reauthenticate every 20 minutes' option, which if it failed, booted the user off the NAS. Read your NAS documentation: specifically, look for if/when it reauthenticates, and if it supports Packet-Of-Disconnection. If it does support PoD, then you can easily add this functionality to the Perl script that runs on accounting, and it'll work just fine without periodic reauthentications.

Hope this helps!

Jan
On 19/05/07, Trio Yulistianto <trioy99@gmail.com> wrote:
so.. its mean that freeradius not yet supporting about this limit ?
so i have to ask mikrotik ?

2007/5/18, tnt@kalik.co.yu < tnt@kalik.co.yu>:
With a bit of gymnastics it can be done. You can run an outside program
on accounting updates checking Octet total - if it goes over the limit
it can send PoD (if Mikrotik supports this). But is it worth it? How
much over the limit can they go in one session (you are setting a
monthly limit)? Think about limiting sessions with Session-Timeout as
well.

Or "simply" ask Mikrotik to introduce Mikrotik-Total-Limit VSA. If
enough people request it ...

Ivan Kalik
Kalik Informatika ISP

Dana 18/5/2007, "Trio Yulistianto" < trioy99@gmail.com> piše:

>yupes you are right... it can't stop user from going over the limit,
>but i need to kick while the limit reached as time session...
>any body success with this ? please tell me how
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html