|
Written by Start a WISP Site Admin
|
|
Thursday, 19 May 2005 |
"Whats the best way to go about enforcing bandwidth caps on a per user
basis. If I have a user on RADIUS is there a way to enforce a set
amount of data transfer per month (e.g 20gb). Once the user has reached
their quota the PPPoE Concentrater/NAS disconnects them or reduces
their speed to say 64k?
I'm guessing this would require some
special features on the access-device/concentrator to allow this, and
may require some fancy stuff on the RADIUS server to calculate the
ongoing quotas? Or am I wishing for too much?"
sporkme:
What I'm describing would work with PPPoE and radius, but I have no
idea how wireless gear that does authentication/accounting with radius
would work. Do any of the devices provide account session byte counts?
If so, then the below would apply...
I'm not going to say it's
easy, but as long as you timeout your sessions after say, 24 hours or
whatever granularity you need, you should have the info. Each time the
access server sends the accounting "stop" packet, it should include a
"bytes transferred" number that will get stashed in your radius sql
backend (yeah, you really want to use a sql-backed radius server like
gnu-radius, freeradius, radiator). Part of your "can they auth" sql
query can total up the bytes transferred and deny access, or possibly
send a custom reply to your access server device to throttle them.
joeyconcrete (original submitter):
Thanks for the reply. I understand what you're saying about the "stop"
accounting messages, but as you pointed out - these are only available
when a session has ended. There's the interim accounting which I
understand. What I'm wondering is there a way whereby you can actively
disconnect a session by sending a "message" of some sort from the
RADIUS server. Almost like a "stop" message sent to the access-device.
The less elegant solution of disconnecting their session very xxx hours
would work - I'm presuming a session-timeout will drop the PPP
connection entirely?
sporkme:
While I've seen Radius bent into some strange shapes, usually this is
done when the session is started. That sounds crazy, but think of RAS
gear... A user dials in, and the radius server OK's him. Along with
that information, it may also specify the user has an idle-timeout of
10 minutes, a session-timeout of 8 hours, etc. So in that case, lots of
the "counting" is really done on the radius client. Sometimes the
radius server and the client may both be doing some neat stuff that in
combination leads to something like "this user can have X bytes/month".
Now how radios implement this, I have no idea. My day job is totally wired.
Original thread location
|
Business Operations 
