Re: Help with executing accounting!
Thanks Alan, I will look into the source!
Tim, your analysis of ipoque operation is correct. IPOQUE receives the
accounting request as a way to dynamically map a user/IP to a class (where
combination of rules/policy are applied based on protocol and application user
is using). What I am trying to acheive actually is not proxying accounting from
NAS towards IPOQUE, but rather triggering it from radius towards ipoque upon
completion of user authentication and authorization. Ipoque is a Layer-2 bridge
where it transparently sits at the gateway of network to control the use of
Internet bandwidth and usage (p2p control, streaming control, and many
categories of traffic). Users do not have to authenticate to ipoque, and users
are actually within the LAN on wired network, where they authenticate to NAS
which then contacts server. This setup I am trying for a university for
controlling users access to Internet, taking advantage of the powerful
capability of ipoque to discover traffic and categorise it with high precision
- Original Message -
From: Tim Sylvester
To: 'FreeRadius users mailing list'
Sent: Saturday, March 27, 2010 11:03 PM
Subject: RE: Help with executing accounting!
Mohamed,
Your description of the IPOQUE device and how it works is very strange. I was
not able to find any usefully documentation on the IPOQUE device but here is
what I think it is trying to do in a service provider network.
Assume the service provider network uses DSL, 3G wireless, 802.11, etc. Users
connect to the network via the NAS which could be a BRAS, GGSN, wireless AP,
etc. The NAS sends an access request to the RADIUS server to authenticate the
user. All user traffic going to the Internet goes through the IPOQUE device.
The service provider wants to the IPOQUE device to manage traffic based on user
or groups of users. Devices on the network are dynamically assigned an IP
address. So, the IPOQUE device needs to map the IP address to the user, group
of user and their bandwidth management “policy”. The NAS is configured to send
RADIUS accounting packets to the RADIUS server. The RADIUS server is configured
to add the IPOQUE attributes to the accounting request and proxy the request to
the IPOQUE device. When the IPOQUE device receives the Accounting Start packet,
it uses the information in the packet to map the IP address (Framed-IP-Address
attribute) to the IPOQUE bandwidth management policy (ipoque-class attribute).
The bandwidth management policy would then be applied to all traffic from that
particular user/IP address.
What type of network is your customer running (DSL, 3G, 802.11, etc.)? Do
they authenticate user access to the network using a NAS which then contacts
the RADIUS server? Is the IPOQUE device transparent to the user or does the
IPOQUE device require users to authenticate themselves via a web page or some
other mechanism?
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org]
On Behalf Of Mohamed Abdulla
Sent: Saturday, March 27, 2010 3:26 AM
To: freeradius-users@lists.freeradius.org
Subject: Help with executing accounting!
Hi All,
I am new to using freeradius. I am in the process of integrating freeradius
with "ipoque", which is a bandwidth control device. IPOQUE expects to see an
accounting request from the radius server with specific attributes embedded, in
order to control the bandwidth of the logged-in user. The scenario I am trying
to realize is as follows:
1.. For each user wishing to authenticate with freeradius, I have added two
attributes in "users.conf" file. The first attribute is "Framed-IP-Address",
while the second is a VSA "ipoque-class".
2.. When the user successfully authenticate with the freeradius, and after
the freeradius sends Access-Accept, I want the radclient.exe to automatically
send Accounting request to ipoque, including the following: User-Name,
Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured
in users.conf file. This should inform ipoque device about the user IP and the
class of that user in order to apply th proper bandwidth rules for that user
category.
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == "1234"
Framed-IP-Address = "192.168.1.12",
ipoque-class = "raduser"
then I created a text file named "ipoquestart.txt" with the following content:
User-Name = "%{User-Name}",
Framed-IP-Address = "%{reply:Framed-IP-Address}",
Acct-Status-Type = Start,
ipoque-class = "%{reply:ipoque-class}"
Then in the radiusd.conf, in the modules section I have def
Re: Help with executing accounting!
Sorry, I forgot to mention that I am using the FreeRadius from
freeradius.net, and I am using it on windows. I did not know it makes so
much a big difference! What Ipoque has implemented is indeed not a full
RADIUS implementation, but it can understand that Accounting Request sent to
it to extract the user data and traffic class before it applies the
configured rules of user traffic treatment. When I manually use radclient to
send the accounting request to ipoque (I fill a text file with sample data
of one user and use that with radclient), everything successfully works.
Then I wanted to do the same on the fly, where depending on the User-Name
and the fact that the user successfully authenticates, the radclient will
populate the Accounting Request data using that User-Name and the configured
attribute in the "users" file. I was hoping I could find similar script
which does the same or close to it. But I guess as Alan DeKok has
highlighted, I have to go through the scripts and Exec-Program-Wait pages
and try to find a way to do it as radclient doe not expand variables like
%{}. Is the 1.1.7 version, windows port supported here? Where can I find the
suggested scripts/exec-program-wait example?
- Original Message -
From: "Alan Buxey"
To: "FreeRadius users mailing list"
Sent: Saturday, March 27, 2010 8:31 PM
Subject: Re: Help with executing accounting!
Hi,
1. For each user wishing to authenticate with freeradius, I have added
two attributes in "users.conf" file. The first attribute is
"Framed-IP-Address", while the second is a VSA "ipoque-class".
'users' file
2. When the user successfully authenticate with the freeradius, and
after the freeradius sends Access-Accept, I want the radclient.exe to
automatically send Accounting request to ipoque, including the following:
User-Name, Framed-IP-Address, Accounting-Status-Type= Start and
ipoque-class as configured in users.conf file. This should inform ipoque
device about the user IP and the class of that user in order to apply th
proper bandwidth rules for that user category.
why cant the NAS send the thing to this ipoque box? oh well, if you
want to use FreeRADIUS to do the work...
simply call perl or python...or even exec...in the post-auth section of
the FreeRADIUS server and get it to call radclient as you want it to
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == "1234"
Cleartext-Password := "1234"
or are you about to tell me you are using the ancient FreeRADIUS 1.1.7
windows port?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with executing accounting!
Hi All,
I am new to using freeradius. I am in the process of integrating freeradius
with "ipoque", which is a bandwidth control device. IPOQUE expects to see an
accounting request from the radius server with specific attributes embedded, in
order to control the bandwidth of the logged-in user. The scenario I am trying
to realize is as follows:
1.. For each user wishing to authenticate with freeradius, I have added two
attributes in "users.conf" file. The first attribute is "Framed-IP-Address",
while the second is a VSA "ipoque-class".
2.. When the user successfully authenticate with the freeradius, and after
the freeradius sends Access-Accept, I want the radclient.exe to automatically
send Accounting request to ipoque, including the following: User-Name,
Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured
in users.conf file. This should inform ipoque device about the user IP and the
class of that user in order to apply th proper bandwidth rules for that user
category.
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == "1234"
Framed-IP-Address = "192.168.1.12",
ipoque-class = "raduser"
then I created a text file named "ipoquestart.txt" with the following content:
User-Name = "%{User-Name}",
Framed-IP-Address = "%{reply:Framed-IP-Address}",
Acct-Status-Type = Start,
ipoque-class = "%{reply:ipoque-class}"
Then in the radiusd.conf, in the modules section I have defined the following
(The ipoque device IP is 192.168.0.1, secret "prx"):
exec Start {
wait = yes
program = "${bindir}/radclient.exe -d ${raddbdir} -f
${bindir}/ipoquestart.txt -x -s 192.168.1 acct prx"
input_pairs = reply
output_pairs = reply
packet_type = Access-Accept
}
and in the instantiate section I have added Start. Also, in the post-auth I
have put Start trying to send the radclient acct request towards ipoque.
I have started freeradius in debug mode, and I noticed that the radclient is
sending Framed-IP-Address as "0.0.0.0", and "ipoque-class"= "",
and after that it is sending the reply with the needed values of
Framed-IP-Address and "ipoque-class". I know there is some where something
wrong I am doing, but I need someone to analyse what is happening and tell me
how to correct it! Thanks-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
