Freeradius-Users Digest, Vol 49, Issue 4

wlanmac wlan at mac.com
Mon May 4 07:46:53 CEST 2009


For what it's worth, CoovaChilli supports an option called 'acctupdate'
which will allow for "updated" provisioning attributes to be returned to
the NAS in accounting response. Yes, it's not very RFC compliant, but
certainly helpful when you don't have the ability to send CoA requests
to the NAS. 

David


On Mon, 2009-05-04 at 07:32 +0200,
freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re :checking authorization in the duration of connection (Eric)
>    2. Re: Re :checking authorization in the duration of connection
>       (??????? ????????)
>    3. Re: Re :checking authorization in the duration of connection
>       (Marinko Tarlac)
>    4. Re: Re :checking authorization in the duration of connection
>       (Ivan Kalik)
>    5. Re :checking authorization in the duration of connection (Eric)
>    6. Re: Re :checking authorization in the duration of connection
>       (Fajar A. Nugraha)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 3 May 2009 14:39:11 +0430
> From: Eric <bbahar3 at gmail.com>
> Subject: Re :checking authorization in the duration of connection
> To: freeradius-users at lists.freeradius.org
> Message-ID:
> 	<38a27c8c0905030309u44457388u2e55f5f2c9a5b1b8 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> NAS sends accounting update packets in periodic times. I want
> freeradius use this updates and
> check my online users periodically and send Disconnect packet if
> user's traffic is above my
> limit.
> How can it do this?
> any document about config ?
> Eric wrote:
> 
> Hi,
> 
> My radius server use ldap server for authorize and authentication.I set an
> attribute in ldap server that is the check-name in sqlcounter to limit users
> Input traffic. I want when user traffic reaches to this amount the user
> become stop but radius checks ldap attributes only at the first of
> connection not in the middle. How can I set radius server check users
> traffic with the amount of this attribute in ldap server in the duration of
> connection?
> 
> The radius server steps out of the way once authentication and authorization
> is complete, nor does it have the ability to disconnect a user from a NAS.
> You need to have the NAS disconnect the user itself when a threshold is
> reached. This is accomplished by returning a vendor specific attribute
> specifying the limit for the session which the NAS then maintains. Once the
> limit on the NAS is reached the NAS terminates the session. You'll have to
> check your NAS documentation for a traffic limiting parameter. In the other
> common case of disconnect after a time duration it's handled by computing
> the session length during authorization and returning attribute 194 with the
> maximum number of seconds for the connection. This attribute is understood
> by comon NAS devices and is known variously as Ascend-Maximum-Time,
> Cisco-Maximum-Time
> or Lucent-Maximum-Time. You'll need to apply the same logic for data volume.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090503/912ea0d4/attachment.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Sun, 3 May 2009 14:30:45 +0400
> From: ??????? ???????? 	<voloshin at maks.net>
> Subject: Re: Re :checking authorization in the duration of connection
> To: "FreeRadius users mailing list"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <0D2A1214D0D5412788725F2E2CD486E1 at Office.local>
> Content-Type: text/plain; charset="utf-8"
> 
> Radius and NAS can worked in one way. Only NAS send accounts paket to RADIUS. RADIUS CANT send packet to NAS server (if quota user traffic limit exceeded)!!!!!!!
>   ----- Original Message ----- 
>   From: Eric 
>   To: freeradius-users at lists.freeradius.org 
>   Sent: Sunday, May 03, 2009 2:09 PM
>   Subject: Re :checking authorization in the duration of connection
> 
> 
> NAS sends accounting update packets in periodic times. I want freeradius use this updates and check my online users periodically and send Disconnect packet if user's traffic is above my
> limit.How can it do this?any document about config ? Eric wrote:Hi,My radius server use ldap server for authorize and authentication.I set an attribute in ldap server that is the check-name in sqlcounter to limit users Input traffic. I want when user traffic reaches to this amount the user become stop but radius checks ldap attributes only at the first of connection not in the middle. How can I set radius server check users traffic with the amount of this attribute in ldap server in the duration of connection? 
>   The radius server steps out of the way once authentication and authorization is complete, nor does it have the ability to disconnect a user from a NAS. You need to have the NAS disconnect the user itself when a threshold is reached. This is accomplished by returning a vendor specific attribute specifying the limit for the session which the NAS then maintains. Once the limit on the NAS is reached the NAS terminates the session. You'll have to check your NAS documentation for a traffic limiting parameter. In the other common case of disconnect after a time duration it's handled by computing the session length during authorization and returning attribute 194 with the maximum number of seconds for the connection. This attribute is understood by comon NAS devices and is known variously as Ascend-Maximum-Time, Cisco-Maximum-Time or Lucent-Maximum-Time. You'll need to apply the same logic for data volume. 
> 
> 
> ------------------------------------------------------------------------------
> 
> 
>   -
>   List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090503/53751f43/attachment.html>
> 
> ------------------------------
> 
> Message: 3
> Date: Sun, 03 May 2009 13:05:20 +0200
> From: Marinko Tarlac <mangia81 at gmail.com>
> Subject: Re: Re :checking authorization in the duration of connection
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <49FD7A70.3080700 at gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> You'll need to check this during connection process and you can send 
> info to NAS about traffic limit (if your NAS support this)
> 
> ??????? ???????? wrote:
> > Radius and NAS can worked in one way. Only NAS send accounts paket to 
> > RADIUS. RADIUS CANT send packet to NAS server (if quota user traffic 
> > limit exceeded)!!!!!!!
> >
> >     ----- Original Message -----
> >     *From:* Eric <mailto:bbahar3 at gmail.com>
> >     *To:* freeradius-users at lists.freeradius.org
> >     <mailto:freeradius-users at lists.freeradius.org>
> >     *Sent:* Sunday, May 03, 2009 2:09 PM
> >     *Subject:* Re :checking authorization in the duration of connection
> >
> >     NAS sends accounting update packets in periodic times. I want freeradius use this updates and 
> >     check my online users periodically and send Disconnect packet if user's traffic is above my
> >
> >     limit.
> >     How can it do this?
> >     any document about config ? 
> >     Eric wrote:
> >         
> >
> >         Hi,
> >               
> >
> >         My radius server use ldap server for authorize and
> >         authentication.I set an attribute in ldap server that is the
> >         check-name in sqlcounter to limit users Input traffic. I want
> >         when user traffic reaches to this amount the user become stop
> >         but radius checks ldap attributes only at the first of
> >         connection not in the middle. How can I set radius server
> >         check users traffic with the amount of this attribute in ldap
> >         server in the duration of connection? 
> >
> >     The radius server steps out of the way once authentication and
> >     authorization is complete, nor does it have the ability to
> >     disconnect a user from a NAS. You need to have the NAS disconnect
> >     the user itself when a threshold is reached. This is accomplished
> >     by returning a vendor specific attribute specifying the limit for
> >     the session which the NAS then maintains. Once the limit on the
> >     NAS is reached the NAS terminates the session. You'll have to
> >     check your NAS documentation for a traffic limiting parameter. In
> >     the other common case of disconnect after a time duration it's
> >     handled by computing the session length during authorization and
> >     returning attribute 194 with the maximum number of seconds for the
> >     connection. This attribute is understood by comon NAS devices and
> >     is known variously as Ascend-Maximum-Time, Cisco-Maximum-Time or
> >     Lucent-Maximum-Time. You'll need to apply the same logic for data
> >     volume.
> >
> >
> >         
> >
> >     ------------------------------------------------------------------------
> >     -
> >     List info/subscribe/unsubscribe? See
> >     http://www.freeradius.org/list/users.html
> >
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Sun, 3 May 2009 21:03:26 +0100 (BST)
> From: "Ivan Kalik" <tnt at kalik.net>
> Subject: Re: Re :checking authorization in the duration of connection
> To: "FreeRadius users mailing list"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <65393.87.194.16.13.1241381006.squirrel at webmail.kalik.net>
> Content-Type: text/plain;charset=utf-8
> 
> > NAS sends accounting update packets in periodic times. I want
> > freeradius use this updates and
> > check my online users periodically and send Disconnect packet if
> > user's traffic is above my
> > limit.
> > How can it do this?
> 
> You can write your own module or program that will check you limit and if
> user is over call radclient and send PoD to your NAS. You are sure that
> your NAS knows what to do with PoD?
> 
> > any document about config ?
> 
> No, because it's a very bad way of doing things.
> 
> There are far better (tried and tested) ways of enforcing limits using
> counters/sqlcounters at login time. If you use them, your user will not be
> able to go over the limit, as NAS will disconnect him (without any need
> for external PoD) when the limit is reached. And you don't need interim
> accounting packets.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Mon, 4 May 2009 09:56:59 +0430
> From: Eric <bbahar3 at gmail.com>
> Subject: Re :checking authorization in the duration of connection
> To: freeradius-users at lists.freeradius.org
> Message-ID:
> 	<38a27c8c0905032226s18bdf7bpb67820910cb5a012 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> I found this reply in freeradius mailing list in 2005:
> 
> " It's impossible to enforce *traffic* limiting *during* a users
> session.  So if a user is a tiny bit below their limit and logs in
> again, they can go over their limit.  The server will only catch &
> enforce their limit on the next login.
>   This has been discussed multiple times on the list over the past 5
> years."
> 
> Is this possible now in new versions ?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090504/f7cbdf3f/attachment.html>
> 
> ------------------------------
> 
> Message: 6
> Date: Mon, 4 May 2009 12:31:52 +0700
> From: "Fajar A. Nugraha" <fajar at fajar.net>
> Subject: Re: Re :checking authorization in the duration of connection
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID:
> 	<7207d96f0905032231j3953f38er480e828182a46663 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> On Mon, May 4, 2009 at 12:26 PM, Eric <bbahar3 at gmail.com> wrote:
> > I found this reply in freeradius mailing list in 2005:
> >
> > " It's impossible to enforce traffic limiting *during* a users
> > session. ?So if a user is a tiny bit below their limit and logs in
> > again, they can go over their limit. ?The server will only catch &
> > enforce their limit on the next login.
> > ? This has been discussed multiple times on the list over the past 5
> > years."
> >
> > Is this possible now in new versions ?
> 
> POSSIBLE, yes. See Ivan's response. The prequisite is that the NAS
> supports Packet of Disconnect (POD).
> Is it recommended? No.
> 
> Regards,
> 
> Fajar
> 
> 
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> End of Freeradius-Users Digest, Vol 49, Issue 4
> ***********************************************




More information about the Freeradius-Users mailing list