Re: Re :checking authorization in the duration of connection

[Ivan Kalik]

> I mean if there is a windows vpn server as a NAS for radius server, could
> I
> set the session limit at the start of the session (at authentication)
> and use methods explained in netexpertise article ?
>

No. Microsoft has no traffic limiting VSAs. And it doesn't support
CoA/PoD. In Windows speak CoA stands for Certificate of Authenticity
(that's where their priorities are - in licencing). It supports only time
limited sessions (Session-Timeout).

Mikrotik can do this. I think that they have also implemented CoA in the
latest RouterOS release.

Ivan Kalik
Kalik Informatika ISP

>
>> How about vpn windows as NAS?
>>
>
> Is that a joke? Windows server would be useless. It can't terminate adsl,
> at least not much more than one line. So, someone else is going to
> terminate adsl and send you what via VPN? Accounting? You don't need
> Windows at all then - just a freeradius server. Or traffic via L2TP
> tunnels? Your Windows server is going to die with any significant ammount
> of traffic. Using Windows server as a router is insane. It can work like
> that - but very, very badly. Even a cheap dumb $50-$100 router like
> Mikrotik will outperform it by miles.
>
> Ivan Kalik
> Kalik Informatika ISP
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Eric]

I mean if there is a windows vpn server as a NAS for radius server, could I
set the session limit at the start of the session (at authentication)
and use methods explained in netexpertise article ?


> How about vpn windows as NAS?
>

Is that a joke? Windows server would be useless. It can't terminate adsl,
at least not much more than one line. So, someone else is going to
terminate adsl and send you what via VPN? Accounting? You don't need
Windows at all then - just a freeradius server. Or traffic via L2TP
tunnels? Your Windows server is going to die with any significant ammount
of traffic. Using Windows server as a router is insane. It can work like
that - but very, very badly. Even a cheap dumb $50-$100 router like
Mikrotik will outperform it by miles.

Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Ivan Kalik]

> How about vpn windows as NAS?
>

Is that a joke? Windows server would be useless. It can't terminate adsl,
at least not much more than one line. So, someone else is going to
terminate adsl and send you what via VPN? Accounting? You don't need
Windows at all then - just a freeradius server. Or traffic via L2TP
tunnels? Your Windows server is going to die with any significant ammount
of traffic. Using Windows server as a router is insane. It can work like
that - but very, very badly. Even a cheap dumb $50-$100 router like
Mikrotik will outperform it by miles.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Eric]

How about vpn windows as NAS?

802.1x coding is not going to be of much use for adsl. What NAS are you
using? Does it support gigawords in accounting and does it have traffic
limiting VSAs? Best thing to do is to create a traffic sqlcounter that
will set the session limit at the start of the session (at authentication)
and use methods explained in netexpertise article to keep collected
traffic information more realistic (in that scenario loosing even one stop
packet for a session that lasted days would be quite bad).

Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Ivan Kalik]

> Hi Arran
> I have trouble.would you please send me codes?
> I don't know how those support adsl do ? when users are online during all
> the
> days and there is limitation on the traffic amount?
>
>
>
> It's possible even if the NAS doesn't support PoD, so long as the NAS
> supports
> the 802.1X mib, you should be able to fire off an SNMP-SET with the exec
> module and force re-authentication. All the required information is
> available in the Accounting Request the server just received.
>
> If you're really having trouble and ask nicely i'll write some example
> code.
>
> Arran

802.1x coding is not going to be of much use for adsl. What NAS are you
using? Does it support gigawords in accounting and does it have traffic
limiting VSAs? Best thing to do is to create a traffic sqlcounter that
will set the session limit at the start of the session (at authentication)
and use methods explained in netexpertise article to keep collected
traffic information more realistic (in that scenario loosing even one stop
packet for a session that lasted days would be quite bad).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Eric]

Hi Arran
I have trouble.would you please send me codes?
I don't know how those support adsl do ? when users are online during all
the
days and there is limitation on the traffic amount?



It's possible even if the NAS doesn't support PoD, so long as the NAS supports
the 802.1X mib, you should be able to fire off an SNMP-SET with the exec
module and force re-authentication. All the required information is
available in the Accounting Request the server just received.

If you're really having trouble and ask nicely i'll write some example code.

Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re :checking authorization in the duration of connection

[David]

Hi Ivan,

This is outdated since Freeradius 2 but the basics remain true, ie:
Create a new record each time an accounting update is received to get (as
much as possible) an up-to-date database, especially when sessions last for
a long time. This helps to get an updated traffic every hour for instance.

I'll write a new version as soon as I get a chance for FR2.

David


> what about this document?
> http://www.netexpertise.eu/en/freeradius/daily-accounting.html

Outdated. Freeradius has gigaword accounting enabled by default now.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Arran Cudbard-Bell]

On 5/5/09 14:20, Ivan Kalik wrote:

what about this document?
http://www.netexpertise.eu/en/freeradius/daily-accounting.html


Outdated. Freeradius has gigaword accounting enabled by default now.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


It's possible even if the NAS doesn't support PoD, so long as the NAS 
supports the 802.1X mib, you should be able to fire off an SNMP-SET with 
the exec module and force re-authentication. All the required 
information is available in the Accounting Request the server just received.


If you're really having trouble and ask nicely i'll write some example code.

Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Ivan Kalik]

> what about this document?
> http://www.netexpertise.eu/en/freeradius/daily-accounting.html

Outdated. Freeradius has gigaword accounting enabled by default now.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Eric]

what about this document?
http://www.netexpertise.eu/en/freeradius/daily-accounting.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Ivan Kalik]

> I found this reply in freeradius mailing list in 2005:
>
> " It's impossible to enforce *traffic* limiting *during* a users
> session.  So if a user is a tiny bit below their limit and logs in
> again, they can go over their limit.  The server will only catch &
> enforce their limit on the next login.
>   This has been discussed multiple times on the list over the past 5
> years."
>
> Is this possible now in new versions ?

Enforcing traffic limits is impossible - using standard radius attributes.
And this has nothing to do with freeradius version.

But most vendors (not just likes of Cisco, but ChilliSpot, Mikrotik, etc.)
have vendor specific attributes (VSA) that you can use to limit traffic.
Read your vendor documentation (or ask the vendor) to see how it can be
done. Then use that VSA in the (sql)counter.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Fajar A. Nugraha]

On Mon, May 4, 2009 at 12:26 PM, Eric  wrote:
> I found this reply in freeradius mailing list in 2005:
>
> " It's impossible to enforce traffic limiting *during* a users
> session.  So if a user is a tiny bit below their limit and logs in
> again, they can go over their limit.  The server will only catch &
> enforce their limit on the next login.
>   This has been discussed multiple times on the list over the past 5
> years."
>
> Is this possible now in new versions ?

POSSIBLE, yes. See Ivan's response. The prequisite is that the NAS
supports Packet of Disconnect (POD).
Is it recommended? No.

Regards,

Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Ivan Kalik]

> NAS sends accounting update packets in periodic times. I want
> freeradius use this updates and
> check my online users periodically and send Disconnect packet if
> user's traffic is above my
> limit.
> How can it do this?

You can write your own module or program that will check you limit and if
user is over call radclient and send PoD to your NAS. You are sure that
your NAS knows what to do with PoD?

> any document about config ?

No, because it's a very bad way of doing things.

There are far better (tried and tested) ways of enforcing limits using
counters/sqlcounters at login time. If you use them, your user will not be
able to go over the limit, as NAS will disconnect him (without any need
for external PoD) when the limit is reached. And you don't need interim
accounting packets.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Marinko Tarlac]

You'll need to check this during connection process and you can send 
info to NAS about traffic limit (if your NAS support this)


Волошин Вячеслав wrote:
Radius and NAS can worked in one way. Only NAS send accounts paket to 
RADIUS. RADIUS CANT send packet to NAS server (if quota user traffic 
limit exceeded)!!!


- Original Message -
*From:* Eric 
*To:* freeradius-users@lists.freeradius.org

*Sent:* Sunday, May 03, 2009 2:09 PM
*Subject:* Re :checking authorization in the duration of connection

NAS sends accounting update packets in periodic times. I want freeradius use this updates and 
check my online users periodically and send Disconnect packet if user's traffic is above my


limit.
How can it do this?
any document about config ? 
Eric wrote:



Hi,
  


My radius server use ldap server for authorize and
authentication.I set an attribute in ldap server that is the
check-name in sqlcounter to limit users Input traffic. I want
when user traffic reaches to this amount the user become stop
but radius checks ldap attributes only at the first of
connection not in the middle. How can I set radius server
check users traffic with the amount of this attribute in ldap
server in the duration of connection? 


The radius server steps out of the way once authentication and
authorization is complete, nor does it have the ability to
disconnect a user from a NAS. You need to have the NAS disconnect
the user itself when a threshold is reached. This is accomplished
by returning a vendor specific attribute specifying the limit for
the session which the NAS then maintains. Once the limit on the
NAS is reached the NAS terminates the session. You'll have to
check your NAS documentation for a traffic limiting parameter. In
the other common case of disconnect after a time duration it's
handled by computing the session length during authorization and
returning attribute 194 with the maximum number of seconds for the
connection. This attribute is understood by comon NAS devices and
is known variously as Ascend-Maximum-Time, Cisco-Maximum-Time or
Lucent-Maximum-Time. You'll need to apply the same logic for data
volume.






-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re :checking authorization in the duration of connection

[Волошин Вячеслав]

Radius and NAS can worked in one way. Only NAS send accounts paket to RADIUS. 
RADIUS CANT send packet to NAS server (if quota user traffic limit 
exceeded)!!!
  - Original Message - 
  From: Eric 
  To: freeradius-users@lists.freeradius.org 
  Sent: Sunday, May 03, 2009 2:09 PM
  Subject: Re :checking authorization in the duration of connection


NAS sends accounting update packets in periodic times. I want freeradius use 
this updates and check my online users periodically and send Disconnect packet 
if user's traffic is above my
limit.How can it do this?any document about config ? Eric wrote:Hi,My radius 
server use ldap server for authorize and authentication.I set an attribute in 
ldap server that is the check-name in sqlcounter to limit users Input traffic. 
I want when user traffic reaches to this amount the user become stop but radius 
checks ldap attributes only at the first of connection not in the middle. How 
can I set radius server check users traffic with the amount of this attribute 
in ldap server in the duration of connection? 
  The radius server steps out of the way once authentication and authorization 
is complete, nor does it have the ability to disconnect a user from a NAS. You 
need to have the NAS disconnect the user itself when a threshold is reached. 
This is accomplished by returning a vendor specific attribute specifying the 
limit for the session which the NAS then maintains. Once the limit on the NAS 
is reached the NAS terminates the session. You'll have to check your NAS 
documentation for a traffic limiting parameter. In the other common case of 
disconnect after a time duration it's handled by computing the session length 
during authorization and returning attribute 194 with the maximum number of 
seconds for the connection. This attribute is understood by comon NAS devices 
and is known variously as Ascend-Maximum-Time, Cisco-Maximum-Time or 
Lucent-Maximum-Time. You'll need to apply the same logic for data volume. 


--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html