rlm_sqlcounter and something else than Session-Timeout
Currently rlm_sqlcounter sums all the session time used by a user, via a MySQL query (summing all the AcctSessionTime) and returns a coresponding Session-Timeout reply to the nas. Now, in my application, I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets. I beleive this is not configurable in rlm_sqlcounter? I could try to make a patch if someone is willing to help me and guide me a bit. -- damjan | дамјан This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
Damjan wrote:
I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets.
I beleive this is not configurable in rlm_sqlcounter?
Indeed.
I could try to make a patch if someone is willing to help me and guide me a bit.
I'd suggest to make the reply attribute user-defined (like the check attribute). You might add an option "reply-name" with "Session-Timeout" as the default value, so it doesn't break someone else's setup. -- Nicolas Baradakis
I think he wants "Session-Octets-Limit" to be sent back for limiting traffic passed thru for each user. I've changed the plain counter module so it sends back my attribute ;), and I think this could be done for sqlcounter as well. I really don't know why everybody is telling that such config would be impossible. It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ? Nicolas - the reply-name option is used for what? For sending back the value in an specific attribute? Couldn't this be used for Damjan's purpose then? Regards, Edvin -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Nicolas Baradakis Sent: Dienstag, 20. Dezember 2005 11:48 To: FreeRadius users mailing list Subject: Re: rlm_sqlcounter and something else than Session-Timeout Damjan wrote:
I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets.
I beleive this is not configurable in rlm_sqlcounter?
Indeed.
I could try to make a patch if someone is willing to help me and guide me a bit.
I'd suggest to make the reply attribute user-defined (like the check attribute). You might add an option "reply-name" with "Session-Timeout" as the default value, so it doesn't break someone else's setup. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seferovic Edvin wrote:
I think he wants "Session-Octets-Limit" to be sent back for limiting traffic passed thru for each user. I've changed the plain counter module so it sends back my attribute ;), and I think this could be done for sqlcounter as well.
Are you using version 1.0.5 or a CVS snapshot? I just looked at rlm_counter for the first time: there is an option "return-attribute" in CVS head for that purpose, but it doesn't exist in rlm_sqlcounter. If you're using 1.0.5, I don't know how you manage to return the value in Session-Octets-Limit. As to my understanding of rlm_counter.c, the reply attribute is hard-coded to Session-Timeout.
Nicolas - the reply-name option is used for what? For sending back the value in an specific attribute? Couldn't this be used for Damjan's purpose then?
I think we need such an option to configure either time or traffic counters. And perhaps "reply-attribute" would be a better name than "reply-name". Nicolas Baradakis -- A: Yes.
Q: Are you sure?
A: Because it reverses the logical flow of conversation.
Q: Why is top posting annoying in email?
"Seferovic Edvin" <edvin.seferovic@kolp.at> wrote:
I really don't know why everybody is telling that such config would be impossible.
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch & enforce their limit on the next login. This has been discussed multiple times on the list over the past 5 years.
It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ?
If you know what you want, write a patch, and we'll review it. Alan DeKok.
Alan DeKok wrote:
"Seferovic Edvin" <edvin.seferovic@kolp.at> wrote:
I really don't know why everybody is telling that such config would be impossible.
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch & enforce their limit on the next login.
This has been discussed multiple times on the list over the past 5 years.
Well in theory, one can write an exec-program or such, call it during accounting, and if appropriate disconnect the user utilizing something like telnet scripts, snmp, radius packet of disconnect and so on so forth.
-----Original Message----- From: aland@nitros9.org [mailto:aland@nitros9.org] On Behalf Of Alan DeKok Sent: Dienstag, 20. Dezember 2005 17:30 To: edvin.seferovic@kolp.at; FreeRadius users mailing list Subject: Re: rlm_sqlcounter and something else than Session-Timeout
"Seferovic Edvin" <edvin.seferovic@kolp.at> wrote: I really don't know why everybody is telling that such config would be impossible.
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch & enforce their limit on the next login.
I do NOT want to limit or change the limit during a session. I just want to limit it for a session ( confusing - huh )! Consider following: 1. User start to log in by using PPTP or PPPOE ( my cases ) 2. sqlcounter sums up the used traffic, and makes substracts it from a limit defined 3. freeradius returns Session-Octets-Limit with the value from sqlcounter which is the actual limitation. Freeradius should also return Session-Octet-Direction because the traffic limitation AFAIK a feature of PPP and PPP needs to know if it should monitor upload, download, or use the limit for max(upload+download). 4. the server running pptp, or pppoe gets the limit and sets the value for the users current session. 5. if user reaches the limit, his connection is terminated ( I've seen logs and this works ;) ). If he tries to log again, he won't be allowed because sqlcounter will provide 0 or negative value. 6. if user terminates his connection before reaching the limit, the accounting data will be passed to sql. By the time he wants to connect again, we will have the same game over. The catch is - PPP always lets user have "a little bit" more than the limit actually is ( 10kB sometimes ), so the sqlcounter won't have to return values like 2 or 5 bytes as a limit because the user will be "way over" quota. I will have to dig into PPP implementation to see how this works actually. The next catch is - simultaneous logins - NO WAY ! here comes the impossible part. You cannot limit traffic for 2 simultaneous connections - reason : the session limit is only passed once to the service which uses freeradius AAA features and it is not sent every few seconds or so. THERE IS MORE ....
This has been discussed multiple times on the list over the past 5 years.
It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ?
If you know what you want, write a patch, and we'll review it.
Alan DeKok.
Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named "Reply-Attribute" and people could use to enter "Session-Timeout" or "Session-Octets-Limit" depending on their need and usage of freeradius. I know that this is not a perfect or even a good solution, because it is not a limitation in real-time, but considering many systems ( like smaller ISP use ) this solution is even more then enough for their needs. Regards, Edvin Seferovic
Seferovic Edvin wrote:
If you know what you want, write a patch, and we'll review it.
Alan DeKok.
Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named "Reply-Attribute" and people could use to enter "Session-Timeout" or "Session-Octets-Limit" depending on their need and usage of freeradius.
If I need a feature in a free software package that isn't there, I sponsor it if I can't wait till it *might* get done one day. Suggest you take the same approach. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
I really don't know why everybody is telling that such config would be impossible.
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch & enforce their limit on the next login.
It is possible, but that depends on your NAS equipment. Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends. -- damjan | дамјан This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch & enforce their limit on the next login.
It is possible, but that depends on your NAS equipment.
Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends.
BTW. Chillispot (free software) also supports ChilliSpot-Max-Input-Octets and ChilliSpot-Max-Output-Octets atributes, if you want to separatelly limit the traffic. All the radius attributes Chillispot supports are documented here: http://www.chillispot.org/features.html#mozTocId36714 -- damjan | дамјан This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
participants (6)
-
Alan DeKok -
Damjan -
Joe Maimon -
Lewis Bergman -
Nicolas Baradakis -
Seferovic Edvin