rlm_sqlcounter and something else than Session-Timeout

Seferovic Edvin edvin.seferovic at kolp.at
Tue Dec 20 19:30:24 CET 2005



-----Original Message-----
From: aland at nitros9.org [mailto:aland at nitros9.org] On Behalf Of Alan DeKok
Sent: Dienstag, 20. Dezember 2005 17:30
To: edvin.seferovic at kolp.at; FreeRadius users mailing list
Subject: Re: rlm_sqlcounter and something else than Session-Timeout 

>>"Seferovic Edvin" <edvin.seferovic at kolp.at> wrote:
>> I really don't know why everybody is telling that such config would be
>> impossible.
>
>  It's impossible to enforce traffic limiting *during* a users
> session.  So if a user is a tiny bit below their limit and logs in
> again, they can go over their limit.  The server will only catch &
> enforce their limit on the next login.
>

I do NOT want to limit or change the limit during a session. I just want to
limit it for a session ( confusing - huh )! Consider following:

1. User start to log in by using PPTP or PPPOE ( my cases )

2. sqlcounter sums up the used traffic, and makes substracts it from a limit
defined

3. freeradius returns Session-Octets-Limit with the value from sqlcounter
which is the actual limitation. Freeradius should also return
Session-Octet-Direction because the traffic limitation AFAIK a feature of
PPP and PPP needs to know if it should monitor upload, download, or use the
limit for max(upload+download).
 
4. the server running pptp, or pppoe gets the limit and sets the value for
the users current session. 

5. if user reaches the limit, his connection is terminated ( I've seen logs
and this works ;) ). If he tries to log again, he won't be allowed because
sqlcounter will provide 0 or negative value.

6. if user terminates his connection before reaching the limit, the
accounting data will be passed to sql. By the time he wants to connect
again, we will have the same game over. 

The catch is - PPP always lets user have "a little bit" more than the limit
actually is ( 10kB sometimes ), so the sqlcounter won't have to return
values like 2 or 5 bytes as a limit because the user will be "way over"
quota. I will have to dig into PPP implementation to see how this works
actually.

The next catch is - simultaneous logins - NO WAY ! here comes the impossible
part. You cannot limit traffic for 2 simultaneous connections - reason : the
session limit is only passed once to the service which uses freeradius AAA
features and it is not sent every few seconds or so.

THERE IS MORE .... 
  
>  This has been discussed multiple times on the list over the past 5
> years.
>
>> It worked for me, so do I have to write a patch that would allow
>> users to switch between time and traffic accounting/limiting in
>> sqlcounter module, or could the professionals do that ?
>
>  If you know what you want, write a patch, and we'll review it.
>
>  Alan DeKok.

Alan, I think you are far more better programmer then I am. It shouldn't be
a big trouble to allow another config parameter for sqlcounter. This one
could be named "Reply-Attribute" and people could use to enter
"Session-Timeout" or "Session-Octets-Limit" depending on their need and
usage of freeradius.

I know that this is not a perfect or even a good solution, because it is not
a limitation in real-time, but considering many systems ( like smaller ISP
use ) this solution is even more then enough for their needs.

Regards,

Edvin Seferovic




More information about the Freeradius-Users mailing list