Request for assistance: FreeRadius configuration for split accounting of users into groups

Thu Mar 30 02:17:26 UTC 2023

On Mar 28, 2023, at 5:25 PM, Ahmad Gharib <ahmadrg49 at gmail.com> wrote:
> We have configured OpenVPN with the OpenVPN Radius Plugin for
> authentication and accounting, and we have connected it to a FreeRadius server.
> Our aim is to split users into two groups, Premium and Limited, and
> configure bandwidth throttling for them depending on their group.
> 
> For Premium users, we would like to provide unlimited bandwidth without any
> throttling. However, for Limited users, we want to provide free 1GB/day and
> then throttle their connection if they exceed the limit.

  All of these issues end up being local policy rules.   i.e. write down what you want the server to do, and then make the server do it.

  If the server doesn't do what you want, it's because there's a disconnect between what you want, and what you told the server to do.

> To achieve this, we have configured the PERL module as an External
> Scripting functionality to check daily consumption and other metrics of the
> user in "Acct-Interim-Updates." We use this functionality to control the
> user's group by switching them from Premium to Limited and vice versa.
> Additionally, we apply throttling to the OpenVPN server using tc.

  Dynamic switching like this may work, but it can be a source of confusion.  What group is the user in?  Does their current profile match their group?

> We also allow users to purchase tokens to top up their allowed bandwidth.
> If a user exceeds their daily limit, their purchased credits allow them to
> continue their internet usage without any additional throttling.

  These are all complex local rules.  It takes a careful approach to write "unlang" policies which match the goals you have.

> However, we are facing issues with the accounting per user group.
> Specifically, we have noticed that if a user is now in the Limited group
> and consuming traffic on a throttled connection, the daily_consumption
> metric continues to add up, even if they have already exceeded their
> allowed daily bandwidth.

  The default configuration has none of these rules.  So if the rules don't do what you want, it's because of rules created on your local system.

> For example, let's say a user has consumed 0.5 GB
> in addition to their allowed 1 GB per day, which makes their total
> consumption 1.5 GB/day. If the user then purchases extra credits worth 0.2
> GB, their total allowed consumption would be 1.2.  GB/Day, however, their
> actual. total daily consumption would still be 1.5 GB/day, which renders
> the user in the same `limited` group and breaks the accounting purposes.

  So write rules to check for this situation?

> To address this issue, we would like to have split accounting for each
> group. In other words, once a user is throttled, we want to ignore the
> bandwidth recorded and only calculate the bandwidth consumed during their
> Premium group connection.

  You have to update the schema && the accounting queries to do this.  It's not trivial.

> It is important to note that the `acctinputoctets` and `acctoutputoctets`
> values are pushed by OpenVPN-Radius Plugin as total incremented values of
> the connection , and not interval values during each `Acct-Interim-Updates`.

  Yes, that's how RADIUS accounting works.  The NAS has no idea what the rules are on the server side.

> We would greatly appreciate any assistance or guidance on how to achieve
> this goal. Thank you in advance for your time and expertise.

  To be honest, this is all very complicated, and I'm still not quite clear on what you want it to do.