[EXTERNAL] Re: issue with reject function while handling interim-update accounting

[Winfield, Alister (Senior Solutions Architect)]

As with all RADIUS things look at the BNG / BRAS / AP / AP-controller / etc (whatever the device is managing the session). Some have ‘quota’ systems that allow a slightly nicer way of handling usage limits. Mostly they do this by sending a new authentication request when a quota expires along with enough information to indicate which quota ran out (But not actually stopping the session until you reject the ‘quota expired’ - auth).

If not, you must play the short session game or hope that CoA’s work. Both achieve the desired outcome but not necessarily in the nicest way For example: CoA is particularly bad with DHCP based clients given there is nothing that a standard client does that will detect the session stopped until the lease expires; Short duration sessions are bad with dynamic IP’s regardless of the type of session being managed because it might change every time a new auth is accepted breaking established user connections.

From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org> on behalf of Matthew Newton via Freeradius-Users <freeradius-users at lists.freeradius.org>
Date: Wednesday, 6 December 2023 at 12:00
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Cc: Matthew Newton <mcn at freeradius.org>
Subject: [EXTERNAL] Re: issue with reject function while handling interim-update accounting


On 06/12/2023 11:36, Vinayak Makwana via Freeradius-Users wrote:>
        I am facing an issue in the accounting section. I do work on
> freeradius accounting to handle START, STOP and INTERIM-UPDATE requests. So
> in an interim-update request I am getting every 1 minute.

That is very frequent. Every 15-30 minutes is more usual. You run the
risk of overloading your database.

> In that request i
> am checking user balance if user balance is not sufficient then i am using
> reject function to send reject request to client. but when I do use the
> reject function then this function directly rejects the interim-update
> request without sending access-reject  to the client.

You can only reject an authentication request, you can't reject in
accounting.

The way to do this is to send a CoA disconnect request to your NAS to
kick the session, if it's supported. If not you will need to either use
some other method to terminate the session, or use shorter session
lengths and then refuse on next authentication.

See raddb/sites-available/originate-coa

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk. Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD