User authentication for remote NAS'?

wefwe fewfew totallimpbizkit at hotmail.com
Wed Apr 5 02:24:00 CEST 2017


Brian,

Apologies for mailing you directly, that wasn't my intention,

Hi all,

I played around with the mikrotik-total-limit right after installing. When sending that as a radreply attribute it works for that session alone but that makes sense.

I tried modifying the counter to reflect mikrotik-total-time instead of session-time as explained on the wiki.
https://wiki.freeradius.org/modules/Rlm_sqlcounter#scenarios_lifetime-limit_sql

Unfortunately it doesn't seem to be as easy as simply changing the attribute and query ;)

Would a similar counter for data usage have to go into the sqlcounter_expire_on_login file?

Am I correct in thinking that in such a case the maximum data usage would become part of the radcheck just as for the session time?

Is there any way to check what is sent as part of radcheck? Sending something as a attribute under radreply makes it show up under freeradius -X and on Mikrotik radius log but radcheck doesn't show anything.

It must be sending something because trying the wiki example I got it working (though its half broken after I tried to change some things, even though I changed all my settings back. I'll have to look into that...) but I would like to be able to see what it's sending.

Different question but is it possible to "stack" the time limit as per the wiki? E.g. Check total, monthly, weekly and daily max session time limits?  I want to be able to give for example 1gb of usage per day, but a total of 5gb max per week.

I guess that would involve doing unlang (something like check weeklycounter, if smaller then allowed, goto dailycounter else reject) in the sites-enabled/default file? Can you put unlang in there?


________________________________
From: wefwe fewfew <totallimpbizkit at hotmail.com>
Sent: Tuesday, April 4, 2017 9:39:28 AM
To: Brian Candler
Subject: Re: Re: User authentication for remote NAS'?


Hi Brian,

I played around with the mikrotik-total-limit right after installing. When sending that as a radreply attribute it works for that session alone but that makes sense.


I tried modifying the counter to reflect mikrotik-total-time instead of session-time as explained on the wiki.

https://wiki.freeradius.org/modules/Rlm_sqlcounter#scenarios_lifetime-limit_sql


Unfortunately it doesn't seem to be as easy as simply changing the attribute and query ;)


Would a similar counter for data usage have to go into the sqlcounter_expire_on_login file?


Am I correct in thinking that in such a case the maximum data usage would become part of the radcheck just as for the session time?


Is there any way to check what is sent as part of radcheck? Sending something as a attribute under radreply makes it show up under freeradius -X and on Mikrotik radius log but radcheck doesn't show anything.


It must be sending something because trying the wiki example I got it working (though its half broken after I tried to change some things, even though I changed all my settings back. I'll have to look into that...) but I would like to be able to see what it's sending.


Different question but is it possible to "stack" the time limit as per the wiki? E.g. Check total, monthly, weekly and daily max session time limits?  I want to be able to give for example 1gb of usage per day, but a total of 5gb max per week.


I guess that would involve doing unlang (something like check weeklycounter, if smaller then allowed, goto dailycounter else reject) in the sites-enabled/default file? Can you put unlang in there?



________________________________
From: Brian Candler <b.candler at pobox.com>
Sent: Monday, April 3, 2017 10:52:01 AM
To: wefwe fewfew; FreeRadius users mailing list
Subject: Re: Re: User authentication for remote NAS'?

On 03/04/2017 09:52, wefwe fewfew wrote:
> Long story short is that I want FR/mysql to check how long a user is still allowed online or how much bandwidth he has left and reject access/disconnect a user based on that.

If you can *pre-calculate* this at the time the user connects, then you
may be able to set an attribute at the start of the session and let the
NAS kick them off when it's exceeded.

Session-Timeout is a standard attribute and gives the time limit (in
seconds). But that's not what you want.

For limiting the bytes uploaded/downloaded, then it's entirely vendor
specific. I notice in dictionary.mikrotik you'll find:

ATTRIBUTE    Mikrotik-Recv-Limit            1    integer
ATTRIBUTE    Mikrotik-Xmit-Limit            2    integer
ATTRIBUTE    Mikrotik-Recv-Limit-Gigawords        14    integer
ATTRIBUTE    Mikrotik-Xmit-Limit-Gigawords        15    integer
ATTRIBUTE    Mikrotik-Total-Limit            17    integer
ATTRIBUTE    Mikrotik-Total-Limit-Gigawords        18    integer

(An integer is a 32-bit value, so if you want to give a value greater
than 4GB you'll have to split it a 64-bit value into high and low 32-bit
words, and use Gigawords for the high value. See RFC2869)

So maybe that will do what you want.  You could check at authentication
time what their monthly limit is (say 40GB) and how much they've used so
far this month (say 10GB), and then set the limit to 30GB.

Otherwise, you'll have to run a process which periodically checks how
much data a user has consumed, and tell the NAS interactively to kick
them off.  That again is very NAS-specific.  Some NASes support a CoA
packet for this; some NASes support an SNMP SET to do this; others you
may need to script a login to the CLI and issue a command to kick them off.

Sorry, I can't give you an off-the-shelf recipe to do this for Mikrotik,
as I've never used their gear.

FreeRADIUS can happily accumulate the accounting information into a
database, to give you the source of info you need. (If you have a huge
number of users then it might be an idea to use something like a Redis
database instead of SQL)

You will however want to ensure that you get accounting updates during a
long-lived session, rather than waiting until the user disconnects which
is the default.

The way to do this is by including the Acct-Interim-Interval attribute
in the authentication response: e.g.

     Acct-Interim-Interval = 600

This means "send me an update of usage for this session every 10
minutes".  Most NASes won't let you set it lower than 5 or 10 minutes.
For an ISP network I'd probably set it to 2 hours.

HTH,

Brian.


More information about the Freeradius-Users mailing list