Help with executing accounting!
Tim Sylvester
tim.sylvester at networkradius.com
Sat Mar 27 21:03:35 CET 2010
Mohamed,
Your description of the IPOQUE device and how it works is very strange. I
was not able to find any usefully documentation on the IPOQUE device but
here is what I think it is trying to do in a service provider network.
Assume the service provider network uses DSL, 3G wireless, 802.11, etc.
Users connect to the network via the NAS which could be a BRAS, GGSN,
wireless AP, etc. The NAS sends an access request to the RADIUS server to
authenticate the user. All user traffic going to the Internet goes through
the IPOQUE device. The service provider wants to the IPOQUE device to manage
traffic based on user or groups of users. Devices on the network are
dynamically assigned an IP address. So, the IPOQUE device needs to map the
IP address to the user, group of user and their bandwidth management
"policy". The NAS is configured to send RADIUS accounting packets to the
RADIUS server. The RADIUS server is configured to add the IPOQUE attributes
to the accounting request and proxy the request to the IPOQUE device. When
the IPOQUE device receives the Accounting Start packet, it uses the
information in the packet to map the IP address (Framed-IP-Address
attribute) to the IPOQUE bandwidth management policy (ipoque-class
attribute). The bandwidth management policy would then be applied to all
traffic from that particular user/IP address.
What type of network is your customer running (DSL, 3G, 802.11, etc.)? Do
they authenticate user access to the network using a NAS which then contacts
the RADIUS server? Is the IPOQUE device transparent to the user or does the
IPOQUE device require users to authenticate themselves via a web page or
some other mechanism?
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius.com at lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius.com at lists.freer
adius.org] On Behalf Of Mohamed Abdulla
Sent: Saturday, March 27, 2010 3:26 AM
To: freeradius-users at lists.freeradius.org
Subject: Help with executing accounting!
Hi All,
I am new to using freeradius. I am in the process of integrating freeradius
with "ipoque", which is a bandwidth control device. IPOQUE expects to see an
accounting request from the radius server with specific attributes embedded,
in order to control the bandwidth of the logged-in user. The scenario I am
trying to realize is as follows:
1. For each user wishing to authenticate with freeradius, I have added
two attributes in "users.conf" file. The first attribute is
"Framed-IP-Address", while the second is a VSA "ipoque-class".
2. When the user successfully authenticate with the freeradius, and
after the freeradius sends Access-Accept, I want the radclient.exe to
automatically send Accounting request to ipoque, including the following:
User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class
as configured in users.conf file. This should inform ipoque device about the
user IP and the class of that user in order to apply th proper bandwidth
rules for that user category.
I have started by creating a test user in users.conf as follows:
shafzeen Auth-Type := Local, User-Password == "1234"
Framed-IP-Address = "192.168.1.12",
ipoque-class = "raduser"
then I created a text file named "ipoquestart.txt" with the following
content:
User-Name = "%{User-Name}",
Framed-IP-Address = "%{reply:Framed-IP-Address}",
Acct-Status-Type = Start,
ipoque-class = "%{reply:ipoque-class}"
Then in the radiusd.conf, in the modules section I have defined the
following (The ipoque device IP is 192.168.0.1, secret "prx"):
exec Start {
wait = yes
program = "${bindir}/radclient.exe -d ${raddbdir} -f
${bindir}/ipoquestart.txt -x -s 192.168.1 acct prx"
input_pairs = reply
output_pairs = reply
packet_type = Access-Accept
}
and in the instantiate section I have added Start. Also, in the post-auth I
have put Start trying to send the radclient acct request towards ipoque.
I have started freeradius in debug mode, and I noticed that the radclient is
sending Framed-IP-Address as "0.0.0.0", and "ipoque-class"= "",
and after that it is sending the reply with the needed values of
Framed-IP-Address and "ipoque-class". I know there is some where something
wrong I am doing, but I need someone to analyse what is happening and tell
me how to correct it! Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100327/7b8ba277/attachment.html>
More information about the Freeradius-Users
mailing list