For what it's worth, CoovaChilli supports an option called 'acctupdate' which will allow for "updated" provisioning attributes to be returned to the NAS in accounting response. Yes, it's not very RFC compliant, but certainly helpful when you don't have the ability to send CoA requests to the NAS.
David On Mon, 2009-05-04 at 07:32 +0200, freeradius-users-requ...@lists.freeradius.org wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re :checking authorization in the duration of connection (Eric) > 2. Re: Re :checking authorization in the duration of connection > (??????? ????????) > 3. Re: Re :checking authorization in the duration of connection > (Marinko Tarlac) > 4. Re: Re :checking authorization in the duration of connection > (Ivan Kalik) > 5. Re :checking authorization in the duration of connection (Eric) > 6. Re: Re :checking authorization in the duration of connection > (Fajar A. Nugraha) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 3 May 2009 14:39:11 +0430 > From: Eric <bbah...@gmail.com> > Subject: Re :checking authorization in the duration of connection > To: freeradius-users@lists.freeradius.org > Message-ID: > <38a27c8c0905030309u44457388u2e55f5f2c9a5b...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > NAS sends accounting update packets in periodic times. I want > freeradius use this updates and > check my online users periodically and send Disconnect packet if > user's traffic is above my > limit. > How can it do this? > any document about config ? > Eric wrote: > > Hi, > > My radius server use ldap server for authorize and authentication.I set an > attribute in ldap server that is the check-name in sqlcounter to limit users > Input traffic. I want when user traffic reaches to this amount the user > become stop but radius checks ldap attributes only at the first of > connection not in the middle. How can I set radius server check users > traffic with the amount of this attribute in ldap server in the duration of > connection? > > The radius server steps out of the way once authentication and authorization > is complete, nor does it have the ability to disconnect a user from a NAS. > You need to have the NAS disconnect the user itself when a threshold is > reached. This is accomplished by returning a vendor specific attribute > specifying the limit for the session which the NAS then maintains. Once the > limit on the NAS is reached the NAS terminates the session. You'll have to > check your NAS documentation for a traffic limiting parameter. In the other > common case of disconnect after a time duration it's handled by computing > the session length during authorization and returning attribute 194 with the > maximum number of seconds for the connection. This attribute is understood > by comon NAS devices and is known variously as Ascend-Maximum-Time, > Cisco-Maximum-Time > or Lucent-Maximum-Time. You'll need to apply the same logic for data volume. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090503/912ea0d4/attachment.html> > > ------------------------------ > > Message: 2 > Date: Sun, 3 May 2009 14:30:45 +0400 > From: ??????? ???????? <volos...@maks.net> > Subject: Re: Re :checking authorization in the duration of connection > To: "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Message-ID: <0d2a1214d0d5412788725f2e2cd48...@office.local> > Content-Type: text/plain; charset="utf-8" > > Radius and NAS can worked in one way. Only NAS send accounts paket to RADIUS. > RADIUS CANT send packet to NAS server (if quota user traffic limit > exceeded)!!!!!!! > ----- Original Message ----- > From: Eric > To: freeradius-users@lists.freeradius.org > Sent: Sunday, May 03, 2009 2:09 PM > Subject: Re :checking authorization in the duration of connection > > > NAS sends accounting update packets in periodic times. I want freeradius use > this updates and check my online users periodically and send Disconnect > packet if user's traffic is above my > limit.How can it do this?any document about config ? Eric wrote:Hi,My radius > server use ldap server for authorize and authentication.I set an attribute in > ldap server that is the check-name in sqlcounter to limit users Input > traffic. I want when user traffic reaches to this amount the user become stop > but radius checks ldap attributes only at the first of connection not in the > middle. How can I set radius server check users traffic with the amount of > this attribute in ldap server in the duration of connection? > The radius server steps out of the way once authentication and > authorization is complete, nor does it have the ability to disconnect a user > from a NAS. You need to have the NAS disconnect the user itself when a > threshold is reached. This is accomplished by returning a vendor specific > attribute specifying the limit for the session which the NAS then maintains. > Once the limit on the NAS is reached the NAS terminates the session. You'll > have to check your NAS documentation for a traffic limiting parameter. In the > other common case of disconnect after a time duration it's handled by > computing the session length during authorization and returning attribute 194 > with the maximum number of seconds for the connection. This attribute is > understood by comon NAS devices and is known variously as > Ascend-Maximum-Time, Cisco-Maximum-Time or Lucent-Maximum-Time. You'll need > to apply the same logic for data volume. > > > ------------------------------------------------------------------------------ > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090503/53751f43/attachment.html> > > ------------------------------ > > Message: 3 > Date: Sun, 03 May 2009 13:05:20 +0200 > From: Marinko Tarlac <mangi...@gmail.com> > Subject: Re: Re :checking authorization in the duration of connection > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <49fd7a70.3080...@gmail.com> > Content-Type: text/plain; charset=UTF-8; format=flowed > > You'll need to check this during connection process and you can send > info to NAS about traffic limit (if your NAS support this) > > ??????? ???????? wrote: > > Radius and NAS can worked in one way. Only NAS send accounts paket to > > RADIUS. RADIUS CANT send packet to NAS server (if quota user traffic > > limit exceeded)!!!!!!! > > > > ----- Original Message ----- > > *From:* Eric <mailto:bbah...@gmail.com> > > *To:* freeradius-users@lists.freeradius.org > > <mailto:freeradius-users@lists.freeradius.org> > > *Sent:* Sunday, May 03, 2009 2:09 PM > > *Subject:* Re :checking authorization in the duration of connection > > > > NAS sends accounting update packets in periodic times. I want > > freeradius use this updates and > > check my online users periodically and send Disconnect packet if user's > > traffic is above my > > > > limit. > > How can it do this? > > any document about config ? > > Eric wrote: > > > > > > Hi, > > > > > > My radius server use ldap server for authorize and > > authentication.I set an attribute in ldap server that is the > > check-name in sqlcounter to limit users Input traffic. I want > > when user traffic reaches to this amount the user become stop > > but radius checks ldap attributes only at the first of > > connection not in the middle. How can I set radius server > > check users traffic with the amount of this attribute in ldap > > server in the duration of connection? > > > > The radius server steps out of the way once authentication and > > authorization is complete, nor does it have the ability to > > disconnect a user from a NAS. You need to have the NAS disconnect > > the user itself when a threshold is reached. This is accomplished > > by returning a vendor specific attribute specifying the limit for > > the session which the NAS then maintains. Once the limit on the > > NAS is reached the NAS terminates the session. You'll have to > > check your NAS documentation for a traffic limiting parameter. In > > the other common case of disconnect after a time duration it's > > handled by computing the session length during authorization and > > returning attribute 194 with the maximum number of seconds for the > > connection. This attribute is understood by comon NAS devices and > > is known variously as Ascend-Maximum-Time, Cisco-Maximum-Time or > > Lucent-Maximum-Time. You'll need to apply the same logic for data > > volume. > > > > > > > > > > ------------------------------------------------------------------------ > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > ------------------------------------------------------------------------ > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > ------------------------------ > > Message: 4 > Date: Sun, 3 May 2009 21:03:26 +0100 (BST) > From: "Ivan Kalik" <t...@kalik.net> > Subject: Re: Re :checking authorization in the duration of connection > To: "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Message-ID: <65393.87.194.16.13.1241381006.squir...@webmail.kalik.net> > Content-Type: text/plain;charset=utf-8 > > > NAS sends accounting update packets in periodic times. I want > > freeradius use this updates and > > check my online users periodically and send Disconnect packet if > > user's traffic is above my > > limit. > > How can it do this? > > You can write your own module or program that will check you limit and if > user is over call radclient and send PoD to your NAS. You are sure that > your NAS knows what to do with PoD? > > > any document about config ? > > No, because it's a very bad way of doing things. > > There are far better (tried and tested) ways of enforcing limits using > counters/sqlcounters at login time. If you use them, your user will not be > able to go over the limit, as NAS will disconnect him (without any need > for external PoD) when the limit is reached. And you don't need interim > accounting packets. > > Ivan Kalik > Kalik Informatika ISP > > > > ------------------------------ > > Message: 5 > Date: Mon, 4 May 2009 09:56:59 +0430 > From: Eric <bbah...@gmail.com> > Subject: Re :checking authorization in the duration of connection > To: freeradius-users@lists.freeradius.org > Message-ID: > <38a27c8c0905032226s18bdf7bpb67820910cb5a...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > I found this reply in freeradius mailing list in 2005: > > " It's impossible to enforce *traffic* limiting *during* a users > session. So if a user is a tiny bit below their limit and logs in > again, they can go over their limit. The server will only catch & > enforce their limit on the next login. > This has been discussed multiple times on the list over the past 5 > years." > > Is this possible now in new versions ? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090504/f7cbdf3f/attachment.html> > > ------------------------------ > > Message: 6 > Date: Mon, 4 May 2009 12:31:52 +0700 > From: "Fajar A. Nugraha" <fa...@fajar.net> > Subject: Re: Re :checking authorization in the duration of connection > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: > <7207d96f0905032231j3953f38er480e828182a46...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On Mon, May 4, 2009 at 12:26 PM, Eric <bbah...@gmail.com> wrote: > > I found this reply in freeradius mailing list in 2005: > > > > " It's impossible to enforce traffic limiting *during* a users > > session. ?So if a user is a tiny bit below their limit and logs in > > again, they can go over their limit. ?The server will only catch & > > enforce their limit on the next login. > > ? This has been discussed multiple times on the list over the past 5 > > years." > > > > Is this possible now in new versions ? > > POSSIBLE, yes. See Ivan's response. The prequisite is that the NAS > supports Packet of Disconnect (POD). > Is it recommended? No. > > Regards, > > Fajar > > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 49, Issue 4 > *********************************************** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
