Request for assistance: FreeRadius configuration for split accounting of users into groups

Ahmad Gharib ahmadrg49 at
Tue Mar 28 08:25:58 UTC 2023

Dear FreeRadius Mailing List,

I hope this email finds you well. I am reaching out to request assistance
with a technical issue that my team and I have been facing while
configuring FreeRadius for our OpenVPN setup.

We have configured OpenVPN with the OpenVPN Radius Plugin for
authentication and accounting, and we have connected it to a FreeRadius server.
Our aim is to split users into two groups, Premium and Limited, and
configure bandwidth throttling for them depending on their group.

For Premium users, we would like to provide unlimited bandwidth without any
throttling. However, for Limited users, we want to provide free 1GB/day and
then throttle their connection if they exceed the limit.

To achieve this, we have configured the PERL module as an External
Scripting functionality to check daily consumption and other metrics of the
user in "Acct-Interim-Updates." We use this functionality to control the
user's group by switching them from Premium to Limited and vice versa.
Additionally, we apply throttling to the OpenVPN server using tc.

We also allow users to purchase tokens to top up their allowed bandwidth.
If a user exceeds their daily limit, their purchased credits allow them to
continue their internet usage without any additional throttling.

However, we are facing issues with the accounting per user group.
Specifically, we have noticed that if a user is now in the Limited group
and consuming traffic on a throttled connection, the daily_consumption
metric continues to add up, even if they have already exceeded their
allowed daily bandwidth. For example, let's say a user has consumed 0.5 GB
in addition to their allowed 1 GB per day, which makes their total
consumption 1.5 GB/day. If the user then purchases extra credits worth 0.2
GB, their total allowed consumption would be 1.2.  GB/Day, however, their
actual. total daily consumption would still be 1.5 GB/day, which renders
the user in the same `limited` group and breaks the accounting purposes.

To address this issue, we would like to have split accounting for each
group. In other words, once a user is throttled, we want to ignore the
bandwidth recorded and only calculate the bandwidth consumed during their
Premium group connection.

It is important to note that the `acctinputoctets` and `acctoutputoctets`
values are pushed by OpenVPN-Radius Plugin as total incremented values of
the connection , and not interval values during each `Acct-Interim-Updates`.

We would greatly appreciate any assistance or guidance on how to achieve
this goal. Thank you in advance for your time and expertise.

Best regards,
Ahmad R. Gharib

~ ~
*Ahmad R. Gharib*

*Linux Systems Administrator at Securealm SARL*
*Mobile: +961 71953385*

More information about the Freeradius-Users mailing list