Using rlm_rest for authorization and sqlcounters for session and bandwidth limits

Rohith Asrk rohith.asrk at gmail.com
Fri Jun 22 19:09:32 CEST 2018


Thanks for the quick reply Alan. I've experimented a bit and here are some
observations I make,

1. The authorize section looks like the way I've defined in the previous
mail. But the rest module before sql and dailybandwidthcounter

2. I'm able to put limits on users using the radcheck table but not able to
do that using the radgroupcheck and radgroupusers table.

I basically wish to put limits on groups, and users shall be a part of it.
So I created a group named test_group with a test_user in it and put limits
on the test_group with Max-Daily-Session-Traffic attribute.

It works if I use the radcheck table with the same attribute and values but
doesn't with the groups.

I'm using the command *radtest test_user test_password localhost 10
secret_key *to test all this. Is there a different implementation with
groups or something else I need know?

Regards,
Rohith ASRK


On Fri, Jun 22, 2018 at 9:23 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jun 22, 2018, at 11:11 AM, Rohith Asrk <rohith.asrk at gmail.com> wrote:
> > I'm working on a feature for being able to enforce session and bandwidth
> > limits on users using a web interface of django-freeradius.
> >
> > I wish to authenticate the users using the rlm_rest module and use custom
> > defined sqlcounters for putting limits on users. For ex.,
>
>   That should work...
>
> > sqlcounter dailybandwidthcounter {
> >        counter_name = Max-Daily-Session-Traffic
> >        check_name = Max-Daily-Session-Traffic
> >        sql_module_instance = sql
> >        key = 'User-Name'
> >        reset = daily
> >        Reply-Message = "Your daily bandwidth limit has reached"
> >        query = "SELECT sum(AcctOutputOctets) + sum(AcctInputOctets) FROM
> > radacct WHERE \
> >                 UserName = '%{${key}}' AND \
> >                 acctstarttime BETWEEN FROM_UNIXTIME('%%b') AND
> > FROM_UNIXTIME('%%e')"
> > }
>
>   That just queries the normal "radacct" table tho.
>
>   What else do you want to do?
>
> > I'm not sure about configuring the FreeRADIUS configuration for
> > accomplishing this. My authorize section looks like
> >
> > authorize {
> >    # ...
> >    dailybandwidthcounter
> >    rest
> >    # ...
> > }
>
>   That calls "dailybandwidthcounter" before the "rest" module.  Is that
> what you want?
>
>   How do the two modules interact?  Or should they *not* interact?
>
> > I wish to use the concept of radius groups to implement this feature,
> i.e.,
> > add instances of radgroupcheck with attributes like
> > Max-Daily-Session-Traffic so that the dailybandwidth counter checks it
> and
> > puts the limits.
>
>   That should be possible, if you list "sql" before
> "dailybandwidthcounter".  And, if you put the Max-Daily-Session-Traffic
> attributes into SQL.
>
> > I tried testing it with radclient and radtest but haven't been able to
> see
> > any results.
>
>   As always, run the server in debug mode to see what it's doing:
>
> http://wiki.freeradius.org/radius-X
>
> > Am I going the right way? Can anyone help me with the concept
> > of enforcing limits and also configuration?
>
>   It should work pretty much as you've described above.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list