Freeradius and WiMAX Access Point
I shall not name the vendor name here. I just got some info from the vendor that the WiMAX Access Point does not do 'interim accounting', 'acctupdate' and so on. Only thing possible right now is authenticate and start/stop accounting. That being the case, I wonder how one implement stuff like fair-use policy on a WiMAX user ? If the radius server does not get interim accounting, the way the users is going to "cheat" is just to power off the device at the end of his usage !!! Am I missing something here ? The way I see it is that if one have to implement a more intelligent authentication and accounting, for WiMAX, one has to put a box, either as a bridge or as a router in front of the APs, where all the data path goes through the box. And that box will create session information and accounting on behalf of the APs. If one has to introduce this box, using Linux solutions, what would be the right way to do this, so that the traffic accounting can be done on each APs ? ( iptables or Coova chilli comes to my mind ). How does the commercial solutions work ? Anyone care to share his knowledge on this ? Once again thanks for reading and best regards. Ming-Ching
Ming-Ching Tiew wrote:
I shall not name the vendor name here. I just got some info from the vendor that the WiMAX Access Point does not do 'interim accounting', 'acctupdate' and so on. Only thing possible right now is authenticate and start/stop accounting.
That's not nice. Why would they do that?
That being the case, I wonder how one implement stuff like fair-use policy on a WiMAX user ? If the radius server does not get interim accounting, the way the users is going to "cheat" is just to power off the device at the end of his usage !!!
The ASN GW will still generate an accounting stop packet in that case. Or it *should*. If it doesn't, return it to the vendor as "horribly broken".
Am I missing something here ?
I think there's a need for a RADIUS validation test suite. The vendor should be able to state that they comply with the test suite. When that happens, you can buy equipment that *works*. In fact, I'm working on a test suite right now. It doesn't include a test for this case, but it's on the "to do" list.
The way I see it is that if one have to implement a more intelligent authentication and accounting, for WiMAX, one has to put a box, either as a bridge or as a router in front of the APs, where all the data path goes through the box. And that box will create session information and accounting on behalf of the APs.
Yes.
If one has to introduce this box, using Linux solutions, what would be the right way to do this, so that the traffic accounting can be done on each APs ?
I'm not sure. I haven't spent much time looking into such a solution. IPtables, and a "cron" job might work. However, it would *also* need to snoop the RADIUS traffic, in order to get Accounting-Session-Id attributes correct.
How does the commercial solutions work ? Anyone care to share his knowledge on this ?
Most WiMAX vendors support RADIUS. So the market for this "snooping" box is pretty small. Alan DeKok.
I shall not name the vendor name here. I just got some info from the vendor that the WiMAX Access Point does not do 'interim accounting', 'acctupdate' and so on. Only thing possible right now is authenticate and start/stop accounting.
That's pathetic. You should name them and shame them.
That being the case, I wonder how one implement stuff like fair-use policy on a WiMAX user ? If the radius server does not get interim accounting, the way the users is going to "cheat" is just to power off the device at the end of his usage !!!
Am I missing something here ?
Yes, you are. AP should still send an accounting Stop packet when it discoveres that user has gone (they should be able to detect that even without user logging off). Problem are going to be open sessions (when no Stop packet is sent to radius) - APs tend to leave quite a few of those. You will have to delete those sessions, so they will be free to the user. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Ivan Kalik -
Ming-Ching Tiew