Freeradius and WiMAX Access Point

[Alan DeKok]

Ming-Ching Tiew wrote:
> I shall not name the vendor name here. I just got some info from the 
> vendor that the WiMAX Access Point does not do 'interim accounting',
> 'acctupdate' and so on. Only thing possible right now is authenticate
> and start/stop accounting.

  That's not nice.  Why would they do that?

> That being the case, I wonder how one implement stuff like fair-use 
> policy on a WiMAX user ? If the radius server does not get interim
> accounting, the way the users is going to "cheat" is just to power
> off the device at the end of his usage !!!

  The ASN GW will still generate an accounting stop packet in that case.
  Or it *should*.  If it doesn't, return it to the vendor as "horribly
broken".

> Am I missing something here ?

  I think there's a need for a RADIUS validation test suite.  The vendor
should be able to state that they comply with the test suite.  When that
happens, you can buy equipment that *works*.

  In fact, I'm working on a test suite right now.  It doesn't include a
test for this case, but it's on the "to do" list.

> The way I see it is that if one have to implement a more intelligent
> authentication and accounting, for WiMAX, one has to put a box, 
> either as a bridge or as a router in front of the APs, where all the 
> data path goes through the box. And that box will create 
> session information and accounting on behalf of the APs. 

  Yes.

> If one has to introduce this box, using Linux solutions,
> what would be the right way to do this, so that the
> traffic accounting can be done on each APs ? 

  I'm not sure.  I haven't spent much time looking into such a solution.
 IPtables, and a "cron" job might work.  However, it would *also* need
to snoop the RADIUS traffic, in order to get Accounting-Session-Id
attributes correct.

> How does the commercial solutions work ? Anyone care to 
> share his knowledge on this ?

  Most WiMAX vendors support RADIUS.  So the market for this "snooping"
box is pretty small.

  Alan DeKok.