I can make bash script that can pull active radius users, and check there quota limit against there usage. If it will found over quota user, it will simply disconnect. It is test script and contains some junk data, but its working fine. Now my question is what is the suitable method to inject this script in freeradius server? a) CRON JOB b) in freeradius/mysql counter or someplace where it initiate auto?
SCRIPT CODE: ------------------- #!/bin/bash #set -x # HEADER ----------- # SCRIPT to fetch data of active radius users into file, then check there quota limit against there usage. # if quota is over , disconnect them. # Syed Jahanzaib / [email protected] / http://aacable.wordpress.com # 17-MAR-2016 TMPFILE="/tmp/activeusers" radwho | awk '{print $2}' | sed '1d' > $TMPFILE NAS="101.11.11.1" NASPORT="1700" SECRET="12345" CURDATE=`date` # Apply Formula to get username from TMPFILE and check there quota num=0 cat $TMPFILE | while read users do num=$[$num+1] username=`echo $users | awk '{print $1}'` QLIMIT=`mysql -uroot -pxxxx --skip-column-names -e "use radius; SELECT value FROM radcheck WHERE attribute='Mikrotik-Total-Limit' AND username='$username';"` QUSED=`mysql -uroot -pxxxx --skip-column-names -e "use radius; SELECT ((SUM(AcctInputOctets)+SUM(AcctOutputOctets))) FROM radacct WHERE UserName='$username'"` echo "------ $CURDATE" echo "$username QUOTA LIMIT= $QLIMIT" echo "$username QUOTA USED= $QUSED" if [ $QUSED -gt $QLIMIT ] then echo "QUOTA REACHED! Disconnecting $username from NAS $NAS" echo user-name=$username | radclient -x $NAS:$NASPORT disconnect $SECRET else echo "$username quote is under Limit" echo "------" fi done # BASH SCRIPT END > From: [email protected] > Date: Thu, 17 Mar 2016 18:49:56 +1300 > To: [email protected] > Subject: Re: [Mikrotik] mikrotik with freeradius Quota exceed auto > disconnection not working > > I understand the approach is to scan the radius accounting database > periodically (ensuring you are getting the accounting updated fast enough) > and then run the radclient to trigger the disconnect. > > http://lists.freeradius.org/pipermail/freeradius-users/2007-September/022210.html > > When I ran this (on a small network) we got notifications of usage and then > killed sessions to cause lockouts if needed (sometimes we would be rate > limiting or directing to a capture page to promote payment). > > > Regards > Alexander > > Alexander Neilson > Neilson Productions Limited > > [email protected] > 021 329 681 > > On 17 March 2016 at 17:25, JAHANZAIB SYED <[email protected]> wrote: > > > I really appreciate that you spare time to reply my annoying query, I read > > that few times before, I have the script to disconnect user using > > radclient, but still I am unable to understand in which part I can execute > > this script? how can i collect date for active users who have reached there > > limit? howto tell the script to disconnect the over quota active users? > > > From: [email protected] > > > Date: Thu, 17 Mar 2016 17:15:50 +1300 > > > To: [email protected] > > > Subject: Re: [Mikrotik] mikrotik with freeradius Quota exceed auto > > disconnection not working > > > > > > These links may help you, the first one has a specific line for > > Mikrotik's > > > > > > http://wiki.freeradius.org/protocol/Disconnect-Messages > > > > > > "For Mikrotik try: > > > > > > # cat packet.txt | radclient -r 1 10.0.0.1:1700 disconnect ''secret'' > > > > > > where -r 1 means retry only once and give up." > > > > > > > > http://lists.freeradius.org/pipermail/freeradius-users/2012-April/059993.html > > > > > > Regards > > > Alexander > > > > > > Alexander Neilson > > > Neilson Productions Limited > > > > > > [email protected] > > > 021 329 681 > > > > > > On 17 March 2016 at 16:58, JAHANZAIB SYED <[email protected]> wrote: > > > > > > > accept my apology that I am really new to freeradius thing. I am doing > > LAB > > > > testing and its pretty straight forward setup. One Mikrotik and one One > > > > Freeradius server on Ubuntu 12.x with standard installation. Nothing > > > > customized. > > > > > > > > Can you please give me that how can I trigger the disconnection script > > (I > > > > can make my own script like using RADCLIENT) once the user hit the > > limit? > > > > > From: [email protected] > > > > > Date: Thu, 17 Mar 2016 16:41:55 +1300 > > > > > To: [email protected] > > > > > Subject: Re: [Mikrotik] mikrotik with freeradius Quota exceed auto > > > > disconnection not working > > > > > > > > > > Please see the below. > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > > > > > > > http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client > > > > > > > > > > Change of Authorization > > > > > > > > > > RADIUS disconnect and Change of Authorization (according to RFC3576) > > are > > > > > supported as well. These attributes may be changed by a CoA request > > from > > > > > the RADIUS server: > > > > > > > > > > - Mikrotik-Group > > > > > - Mikrotik-Recv-Limit > > > > > - Mikrotik-Xmit-Limit > > > > > - Mikrotik-Rate-Limit > > > > > - Ascend-Data-Rate (only if Mikrotik-Rate-Limit is not present) > > > > > - Ascend-XMit-Rate (only if Mikrotik-Rate-Limit is not present) > > > > > - Mikrotik-Mark-Id > > > > > - Filter-Id > > > > > - Mikrotik-Advertise-Url > > > > > - Mikrotik-Advertise-Interval > > > > > - Session-Timeout > > > > > - Idle-Timeout > > > > > - Port-Limit > > > > > > > > > > Note that it is not possible to change IP address, pool or routes > > that > > > > way > > > > > - for such changes a user must be disconnected first. > > > > > ------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > So you could send a disconnect when they hit limit or change > > > > authorisation > > > > > to set rate limit to something really small. > > > > > > > > > > If this isn't working a capture of someone crossing the rate limit > > and > > > > the > > > > > COA / POD may allow others or myself to help diagnose (please also > > > > include > > > > > a sanitised config showing the relevant areas and a network diagram > > to > > > > help > > > > > understand anything specific in your setup) > > > > > > > > > > > > > > > Regards > > > > > Alexander > > > > > > > > > > Alexander Neilson > > > > > Neilson Productions Limited > > > > > > > > > > [email protected] > > > > > 021 329 681 > > > > > > > > > > On 17 March 2016 at 16:24, JAHANZAIB SYED <[email protected]> > > wrote: > > > > > > > > > > > Thanks for the reply. I am testing now on 6.x with same issue, > > > > > > Any example? > > > > > > > > > > > > > From: [email protected] > > > > > > > Date: Thu, 17 Mar 2016 16:21:27 +1300 > > > > > > > To: [email protected] > > > > > > > Subject: Re: [Mikrotik] mikrotik with freeradius Quota exceed > > auto > > > > > > disconnection not working > > > > > > > > > > > > > > Are you configured to send COA or POD from the radius server > > once the > > > > > > limit is reached? > > > > > > > > > > > > > > I understand Mikrotik may have published a new dictionary for > > radius > > > > to > > > > > > reflect changes they have made > > > > > > > > > > > > > > IIRC they used to allow only POD and no COA but now support COA > > as > > > > well. > > > > > > This may allow you to make it work on 6.34 but not in V5. > > > > > > > > > > > > > > Also maybe check if you have these signals configured with a > > capture > > > > to > > > > > > ensure they are sent across. > > > > > > > > > > > > > > Regards > > > > > > > Alexander > > > > > > > > > > > > > > > On 17/03/2016, at 16:04, JAHANZAIB SYED <[email protected]> > > > > wrote: > > > > > > > > > > > > > > > > Testing it on Mikrotik 5.20 and 6.34.x > > > > > > > > Same issue that user dont get auto disconnect when quota > > reaches > > > > > > limit. [however they get access denied on there next login] > > > > > > > > > > > > > > > > > > > > > > > >> Date: Wed, 16 Mar 2016 08:34:38 -0400 > > > > > > > >> From: [email protected] > > > > > > > >> To: [email protected] > > > > > > > >> Subject: Re: [Mikrotik] mikrotik with freeradius Quota exceed > > auto > > > > > > disconnection not working > > > > > > > >> > > > > > > > >> What version of Mikrotik? > > > > > > > >> > > > > > > > >>> On Wed, March 16, 2016 6:16 am, JAHANZAIB SYED wrote: > > > > > > > >>> I am using Mikrotik with FREERADIUS 2.x. Radius Incoming is > > > > enabled > > > > > > with > > > > > > > >>> port 1700. > > > > > > > >>> > > > > > > > >>> My problem is that after user reaches his quota limit , he > > does > > > > not > > > > > > gets > > > > > > > >>> disconnect automatically. If I disconnect him myself and he > > try > > > > to > > > > > > > >>> reconnect then he gets access denied. how this disconnection > > can > > > > be > > > > > > made > > > > > > > >>> automatically? > > > > > > > >>> > > > > > > > >>> Using following sql counter. > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> sqlcounter totalbytecounter { counter-name = > > Mikrotik-Total-Limit > > > > > > > >>> check-name = Mikrotik-Total-Limit reply-name = > > > > Mikrotik-Total-Limit > > > > > > > >>> reply-message = "You have reached your bandwidth limit" > > > > sqlmod-inst > > > > > > = sql > > > > > > > >>> key = User-Name reset = never query = "SELECT > > > > > > > >>> ((SUM(AcctInputOctets)+SUM(AcctOutputOctets))) FROM radacct > > WHERE > > > > > > > >>> UserName='%{%k}'" > > > > > > > >>> } > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> Also I have defined this under authorize section in > > > > > > > >>> /etc/freeradius/sites-enabled/default > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> totalbytecounter > > > > > > > >>> > > > > > > > >>> Help Please. > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> -------------- next part -------------- > > > > > > > >>> An HTML attachment was scrubbed... > > > > > > > >>> URL: > > > > > > > >>> < > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20160316/4ce02 > > > > > > > >>> 42d/attachment.html> > > > > > > > >>> _______________________________________________ > > > > > > > >>> Mikrotik mailing list > > > > > > > >>> [email protected] > > > > > > > >>> http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> Visit http://blog.butchevans.com/ for tutorials related to > > > > Mikrotik > > > > > > > >>> RouterOS > > > > > > > >> > > > > > > > >> > > > > > > > >> _______________________________________________ > > > > > > > >> Mikrotik mailing list > > > > > > > >> [email protected] > > > > > > > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > >> > > > > > > > >> Visit http://blog.butchevans.com/ for tutorials related to > > > > Mikrotik > > > > > > RouterOS > > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > > An HTML attachment was scrubbed... > > > > > > > > URL: < > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/74cc3f9f/attachment.html > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > Mikrotik mailing list > > > > > > > > [email protected] > > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > > Mikrotik > > > > > > RouterOS > > > > > > > _______________________________________________ > > > > > > > Mikrotik mailing list > > > > > > > [email protected] > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > Mikrotik > > > > > > RouterOS > > > > > > > > > > > > -------------- next part -------------- > > > > > > An HTML attachment was scrubbed... > > > > > > URL: < > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/a62a307f/attachment.html > > > > > > > > > > > > > _______________________________________________ > > > > > > Mikrotik mailing list > > > > > > [email protected] > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > Mikrotik > > > > > > RouterOS > > > > > > > > > > > -------------- next part -------------- > > > > > An HTML attachment was scrubbed... > > > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/b29e43e2/attachment.html > > > > > > > > > > _______________________________________________ > > > > > Mikrotik mailing list > > > > > [email protected] > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > > RouterOS > > > > > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/61c5707b/attachment.html > > > > > > > > > _______________________________________________ > > > > Mikrotik mailing list > > > > [email protected] > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > > RouterOS > > > > > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/e297b067/attachment.html > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > [email protected] > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/2b5a84e1/attachment.html > > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/4852e740/attachment.html> > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20160317/31213bec/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
