Deny internet access to delinquent accounts

Alexander Clouter alex at digriz.org.uk
Mon Dec 28 20:07:03 CET 2009 

19bab79 <bryanb at awsllc.net> wrote:
> 
> I have never used the freeradius software before, but it looked like a
> possible fit for my needs. I work for an ISP and we are looking for a way to
> block internet access for people with delinquent accounts, and redirect them
> to a page to allow them to pay their bill. I plan on using this software
> with pfsense.
>
This is *not* a FreeRADIUS problem, this is a problem where the solution 
could use FreeRADIUS that *could* make up part of it however the 
*tricky* part is going to be:
 * what medium does your xDSL/dialup/cups-n-string come over 
	(L2TP, Ethernet, etc?)
 * what do you terminate the connections on
 * what routing facilities do you have available to you
 * what firewalling facilities do you have
 * what DNS facilities do you have (you do *not* want to use 
	destination NAT of you can avoid it)
 
>From what you have told me, I am pretty sure there is no need for 
FreeRADIUS to be part of the solution....but then of course you have 
given no details.

> Can anyone give me any info on how to set this up. I have checked out google
> looking for tutorials but have had no luck. I am really just looking for
> some good documentation. I can hopefully work everything out from there. Any
> help or advice is greatly appreciated.
> 
This is not something where a 'tutorial' will exist.  Either you know 
it, or you do not I am afraid.  In the world of IT there is no shame in 
admiting "nope, I have no idea, we are going to have to find a good 
*and* respectible consultant".  A worthwhile investment.

At $ORK[-1], about six years ago, I worked at an ISP and when we 
deployed this type of system it was worth more than it's weight in gold 
as:
 * customers know they have to pay before they can continue
 * customers can 'self help' themselves with the payment
 * the do not need to speak to you or the helldesk

Although a consultant will cost you money, you will *very* quickly make 
it back in the support/billing/*stress* savings that you make.

The solution to make this work is to make the transistion *instant* to a 
working connection without delay/reconnection once payment is made 
(hint: source based routing).

Once this is in place, it is trivial to add very similar functionality 
that lets you disable users, let them clean patch/update their box

So...go get a consultant and do not be ashamed of doing so, but make 
sure you learn from them *how* and *why* it works so you know how to do 
it next time, and fix it. :)

You problem is in working out a solution that works with your 
*networking* infrastructure, not how to get FreeRADIUS (if it is even 
needed) to do 'something' that could help out.

Cheers

-- 
Alexander Clouter
.sigmonster says: Memories of you remind me of you.
                  		-- Karl Lehenbauer

More information about the Freeradius-Users mailing list