User authentication for remote NAS'?
b.candler at pobox.com
Mon Apr 3 12:52:01 CEST 2017
On 03/04/2017 09:52, wefwe fewfew wrote:
> Long story short is that I want FR/mysql to check how long a user is still allowed online or how much bandwidth he has left and reject access/disconnect a user based on that.
If you can *pre-calculate* this at the time the user connects, then you
may be able to set an attribute at the start of the session and let the
NAS kick them off when it's exceeded.
Session-Timeout is a standard attribute and gives the time limit (in
seconds). But that's not what you want.
For limiting the bytes uploaded/downloaded, then it's entirely vendor
specific. I notice in dictionary.mikrotik you'll find:
ATTRIBUTE Mikrotik-Recv-Limit 1 integer
ATTRIBUTE Mikrotik-Xmit-Limit 2 integer
ATTRIBUTE Mikrotik-Recv-Limit-Gigawords 14 integer
ATTRIBUTE Mikrotik-Xmit-Limit-Gigawords 15 integer
ATTRIBUTE Mikrotik-Total-Limit 17 integer
ATTRIBUTE Mikrotik-Total-Limit-Gigawords 18 integer
(An integer is a 32-bit value, so if you want to give a value greater
than 4GB you'll have to split it a 64-bit value into high and low 32-bit
words, and use Gigawords for the high value. See RFC2869)
So maybe that will do what you want. You could check at authentication
time what their monthly limit is (say 40GB) and how much they've used so
far this month (say 10GB), and then set the limit to 30GB.
Otherwise, you'll have to run a process which periodically checks how
much data a user has consumed, and tell the NAS interactively to kick
them off. That again is very NAS-specific. Some NASes support a CoA
packet for this; some NASes support an SNMP SET to do this; others you
may need to script a login to the CLI and issue a command to kick them off.
Sorry, I can't give you an off-the-shelf recipe to do this for Mikrotik,
as I've never used their gear.
FreeRADIUS can happily accumulate the accounting information into a
database, to give you the source of info you need. (If you have a huge
number of users then it might be an idea to use something like a Redis
database instead of SQL)
You will however want to ensure that you get accounting updates during a
long-lived session, rather than waiting until the user disconnects which
is the default.
The way to do this is by including the Acct-Interim-Interval attribute
in the authentication response: e.g.
Acct-Interim-Interval = 600
This means "send me an update of usage for this session every 10
minutes". Most NASes won't let you set it lower than 5 or 10 minutes.
For an ISP network I'd probably set it to 2 hours.
More information about the Freeradius-Users