User authentication for remote NAS'?

Brian Candler b.candler at pobox.com
Mon Apr 3 12:52:01 CEST 2017 

On 03/04/2017 09:52, wefwe fewfew wrote:
> Long story short is that I want FR/mysql to check how long a user is still allowed online or how much bandwidth he has left and reject access/disconnect a user based on that.

If you can *pre-calculate* this at the time the user connects, then you 
may be able to set an attribute at the start of the session and let the 
NAS kick them off when it's exceeded.

Session-Timeout is a standard attribute and gives the time limit (in 
seconds). But that's not what you want.

For limiting the bytes uploaded/downloaded, then it's entirely vendor 
specific. I notice in dictionary.mikrotik you'll find:

ATTRIBUTE    Mikrotik-Recv-Limit            1    integer
ATTRIBUTE    Mikrotik-Xmit-Limit            2    integer
ATTRIBUTE    Mikrotik-Recv-Limit-Gigawords        14    integer
ATTRIBUTE    Mikrotik-Xmit-Limit-Gigawords        15    integer
ATTRIBUTE    Mikrotik-Total-Limit            17    integer
ATTRIBUTE    Mikrotik-Total-Limit-Gigawords        18    integer

(An integer is a 32-bit value, so if you want to give a value greater 
than 4GB you'll have to split it a 64-bit value into high and low 32-bit 
words, and use Gigawords for the high value. See RFC2869)

So maybe that will do what you want.  You could check at authentication 
time what their monthly limit is (say 40GB) and how much they've used so 
far this month (say 10GB), and then set the limit to 30GB.

Otherwise, you'll have to run a process which periodically checks how 
much data a user has consumed, and tell the NAS interactively to kick 
them off.  That again is very NAS-specific.  Some NASes support a CoA 
packet for this; some NASes support an SNMP SET to do this; others you 
may need to script a login to the CLI and issue a command to kick them off.

Sorry, I can't give you an off-the-shelf recipe to do this for Mikrotik, 
as I've never used their gear.

FreeRADIUS can happily accumulate the accounting information into a 
database, to give you the source of info you need. (If you have a huge 
number of users then it might be an idea to use something like a Redis 
database instead of SQL)

You will however want to ensure that you get accounting updates during a 
long-lived session, rather than waiting until the user disconnects which 
is the default.

The way to do this is by including the Acct-Interim-Interval attribute 
in the authentication response: e.g.

     Acct-Interim-Interval = 600

This means "send me an update of usage for this session every 10 
minutes".  Most NASes won't let you set it lower than 5 or 10 minutes. 
For an ISP network I'd probably set it to 2 hours.

HTH,

Brian.

More information about the Freeradius-Users mailing list