Re: Freeradius-Users Digest, Vol 49, Issue 4
For what it's worth, CoovaChilli supports an option called 'acctupdate' which will allow for "updated" provisioning attributes to be returned to the NAS in accounting response. Yes, it's not very RFC compliant, but certainly helpful when you don't have the ability to send CoA requests to the NAS. David On Mon, 2009-05-04 at 07:32 +0200, freeradius-users-request@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re :checking authorization in the duration of connection (Eric) 2. Re: Re :checking authorization in the duration of connection (??????? ????????) 3. Re: Re :checking authorization in the duration of connection (Marinko Tarlac) 4. Re: Re :checking authorization in the duration of connection (Ivan Kalik) 5. Re :checking authorization in the duration of connection (Eric) 6. Re: Re :checking authorization in the duration of connection (Fajar A. Nugraha)
----------------------------------------------------------------------
Message: 1 Date: Sun, 3 May 2009 14:39:11 +0430 From: Eric <bbahar3@gmail.com> Subject: Re :checking authorization in the duration of connection To: freeradius-users@lists.freeradius.org Message-ID: <38a27c8c0905030309u44457388u2e55f5f2c9a5b1b8@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
NAS sends accounting update packets in periodic times. I want freeradius use this updates and check my online users periodically and send Disconnect packet if user's traffic is above my limit. How can it do this? any document about config ? Eric wrote:
Hi,
My radius server use ldap server for authorize and authentication.I set an attribute in ldap server that is the check-name in sqlcounter to limit users Input traffic. I want when user traffic reaches to this amount the user become stop but radius checks ldap attributes only at the first of connection not in the middle. How can I set radius server check users traffic with the amount of this attribute in ldap server in the duration of connection?
The radius server steps out of the way once authentication and authorization is complete, nor does it have the ability to disconnect a user from a NAS. You need to have the NAS disconnect the user itself when a threshold is reached. This is accomplished by returning a vendor specific attribute specifying the limit for the session which the NAS then maintains. Once the limit on the NAS is reached the NAS terminates the session. You'll have to check your NAS documentation for a traffic limiting parameter. In the other common case of disconnect after a time duration it's handled by computing the session length during authorization and returning attribute 194 with the maximum number of seconds for the connection. This attribute is understood by comon NAS devices and is known variously as Ascend-Maximum-Time, Cisco-Maximum-Time or Lucent-Maximum-Time. You'll need to apply the same logic for data volume.
wlanmac wrote:
For what it's worth, CoovaChilli supports an option called 'acctupdate' which will allow for "updated" provisioning attributes to be returned to the NAS in accounting response. Yes, it's not very RFC compliant, but certainly helpful when you don't have the ability to send CoA requests to the NAS.
It's not actually forbidden by the RFC's, or by the (new) RADIUS design guidelines document. It's not a bad idea, quite frankly. Alan DeKok.
Alan DeKok wrote:
wlanmac wrote:
For what it's worth, CoovaChilli supports an option called 'acctupdate' which will allow for "updated" provisioning attributes to be returned to the NAS in accounting response. Yes, it's not very RFC compliant, but certainly helpful when you don't have the ability to send CoA requests to the NAS.
It's not actually forbidden by the RFC's, or by the (new) RADIUS design guidelines document. It's not a bad idea, quite frankly.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I for one use it quite extensively, and it works very well! Without it you cannot safely allow dual logins. (e.g. if a user with 100MB left, logs in twice at the same time, he will get 200MB) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
participants (3)
-
Alan DeKok -
Johan Meiring -
wlanmac