Re: [Radiusplugin-users] Anyone knows how to use Radiusplugin to limit client's traffic?

[Ralf Lübben]

Thanks for the example.

To get intermediate updates for the accounting values you can specify the 
RADIUS attribute "Acct-Interim-Interval" for your users.  The attribute 
specifies an interval [in seconds], in which the plugin will send the current 
accounting values to the RADIUS server. 

So the users get disconnected at the next key re-negotiation.

You can also specify the re-negotiation based on bytes with "--reneg-bytes", 
so the maximum gap will be the configured bytes (under the assumptions, that 
the "Acct-Interim-Interval" is shorter than the interval for key 
renegotiation).  
Also note, that the re-negotiation should not occur too frequently, because it 
puts load on the OpenVPN/plugin and the RADIUS Server. 
For a lot of users you should configure "useauthcontrolfile=true" in the plugin 
configuration file. If set to "false" OpenVPN will block during the 
authentication, if set to "true" the authentication is done in the background.

The accounting update, does not put much load on the plugin, it's completely 
done in the background.

Ralf 

Am Mittwoch, 9. Juni 2010 05:31:33 schrieb Tony Zhou:
> Here's the steps to enable a very-rough traffic limit on
>  Freeradius+OpenVPN:
> 
> I'm using Freeradius 2.1.0 + Postgresql 8.4.4, enabled a traffic limit for
> group users of 5G/month
> 
> 1. Add a row in db, set the limit
> 
> Insert into radgroupreply (groupname, attribute, op, value) values ('user',
> 'Max-Monthly-Traffic', ':=', '5368709120');
> 
> Units in bytes
> 
> 2. Detects the user's traffic before login, if exceeds reject the
> authentication
> 
> Add the following line to /etc/freeradius/sites-enabled/default, in the
> authorization section:
> 
> if ("%{sql: SELECT SUM(acctinputoctets+acctoutputoctets) FROM radacct WHERE
> username='%{User-Name}' AND date_trunc('day', acctstarttime) >= date_trunc
> ('month', current_date) AND date_trunc('day', acctstoptime) <=
> last_day(current_date);}" >= "%{sql: SELECT value FROM radgroupreply WHERE
> attribute='Max-Monthly-Traffic';}") {
>               reject
>       }
> 3. Define the lastday() function in db
> 
> Since I used time period of 1st and the last day in a month, the date need
> to be defined.
> 
> This function is from http://wiki.postgresql.org/wiki/Date_LastDay
> 
> CREATE OR REPLACE FUNCTION last_day(date)
> RETURNS date AS
> $$
>   SELECT (date_trunc('MONTH', $1) + INTERVAL '1 MONTH - 1 day')::date;
> $$ LANGUAGE 'sql' IMMUTABLE STRICT;
> 
> 4. Define Max-Monthly-Traffic in dictionary
> 
> Add line:
> Attribute Max-Monthly-Traffic 3003 interger
> 
> Restart freeradius and openvpn and the traffic limit applies.
> 
> I'm a newbie to pgsql and freeradius, so the script is quite rough. Any
> suggestions are welcomed.
> 
> BTW, this script cannot kick user off on realtime, since acctinputoctet and
> acctoutputoctet would not update until user logs off. Ralf suggested to use
> reneg-sec to force user to re-authenticate to refresh and detect the
>  traffic used.
> 
> 
> -----Original Message-----
> From: Ralf Lübben [mailto:address@hidden
> Sent: Tuesday, June 08, 2010 4:07 PM
> To: address@hidden
> Cc: Tony Zhou
> Subject: Re: [Radiusplugin-users] Anyone knows how to use Radiusplugin to
> limit client's traffic?
> 
> Hi,
> 
> the RADIUS server can support it in combination with OpenVPN:
> 
> 1) The RADIUS server cannot disconnect a user from OpenVPN, but OpenVPN re-
> authenticates a user in a specific interval which can be configured with
>  the option "--reneg-sec", than the authentication/re-authentication will
>  fail, if the user exceeds a traffic limit.
> So the traffic limit will not be kept exactly but approximately.
> 
> 2) The RADIUS server can reject authentication requests, if the some values
> are exceeded. This is implemented by "Rlm_sqlcounter", examples can be
>  found in the freeradius directory "freeradius/sql/postgresql", a
>  installation guide at http://wiki.freeradius.org/Rlm_sqlcounter .
> You should consider the RADIUS accounting attributes "Acct-Input-Octets",
> "Acct-Output-Octets", "Acct-Input-Gigawords" and "Acct-Output-Gigawords".
> 
> 
> I would be great if you can post a complete solution if you find one.
> 
> Regards,
> Ralf
> 
> Am Dienstag, 8. Juni 2010 03:56:55 schrieb Tony Zhou:
> > Hi all,
> >
> >
> >
> > I'm running Freeradius 2.1+Postgresql 8.4.4+OpenVPN on Ubuntu 9.10
> > x86. It runs smoothly now, however, I want to know that if there is
> > any way to  limit per user's traffic, like 10G/month, and
> > disconnect/reject their  connection when the limitation has been reached.
> >
> >
> >
> > I have asked this on FreeRADIUS maillist and they said that is NAS
> > client related. Is there any function in Radiusplugin or any
> > additional script could do this?
> >
> >
> >
> > Thanks in advance.
>