Hello Rohan - What I described was one typical way it is done automatically, but obviously other methods are possible.
regards Hugh On 18 Oct 2012, at 02:49, <[email protected]> wrote: > Thanks Hugh. > > > Oh Yes! I recall there was discussion around tracking usage via interim > accounting. But its an external system (linked to our billing system) that > will monitor user sessions for usage thresholds and initiate the COA as well > as modify the user profile in LDAP temporarily should a user reconnect. > > I will need to get more feedback on how the external system will be > initiating the COA (such as by bulk or single). Based on your description > below it appears that COA is normally done in bulk. > > Rohan. > > > On Wed, 17 Oct 2012 08:42:00 +1100 > Hugh Irvine <[email protected]> wrote: >> >> Hello Rohan - >> >> See below. >> >> On 17 Oct 2012, at 04:11, <[email protected]> wrote: >> >>> Thanks Hugh, >>> >>> I will pass on your hello to Elon :). Seems like a bit of configuration. >>> >>> Are you confirming that Interim-Update is required for COA? >> >> Typically you want to use COA on a session that has exceeded some limit, >> therefore you need to know when the session has exceeded whatever limit and >> take action when it happens. >> >> The only way to know what is happening with an existing session using RADIUS >> is via interim accounting. >> >>> And how is COA triggered from the Billing/Provisional system? >> >> You would have a periodic cron job or similar scan the database. >> >>> Is COA described anywhere in the RADIATOR documentation? >> >> COA is supported (or not) by the NAS equipment in question, and varies from >> one device to another. >> >> Here is the help for the "radpwtst" utility: >> >> >> Radiator-4.10 hugh$ perl radpwtst -h >> >> usage: radpwtst [-h] [-time] [-iterations n] >> [-trace [level]] [-s server] [-secret secret] [-retries n] >> [-noauth] [-noacct][-nostart] [-nostop] [-alive] [-status] >> [-chap] [-chap_nc] [-mschap] [-mschapv2] [-eapmd5] [-eapotp] >> [-eapgtc] [-sip] [-leap] >> [-motp_secret xxxxxxxxxxxxxxxx] [-eaphex xxxxxxxxxxxxx] >> [-accton] [-acctoff] [-framed_ip_address address] >> [-auth_port port] [-acct_port port] [-identifier n] >> [-user username] [-password password] >> [-nas_ip_address address] [-nas_identifier string] >> [-nas_port port] [-nas_port_type type] [-service_type service] >> [-calling_station_id string] [-called_station_id string] >> [-session_id string] [-interactive] >> [-delay_time n] [-session_time n] [-input_octets n] >> [-output_octets n] [-timeout n] [-dictionary file,file] >> [-gui] [-class string] [-useoldascendpasswords] >> [-code requestcode] [-raw data] [-rawfile filename] >> [-rawfileseq filename] >> [-outport port] [-bind_address dotted-ip-address] >> [-options optionfile] >> [attribute=value]... >> >> >> You would use it something like this (depending on what specific >> attribute-value pairs the NAS requires): >> >> >> perl radpwtst -noauth -noacct -code Change-Filter-Request -s n.n.n.n >> -auth_port nnn -secret _the_shared_secret_ User-Name=someuser >> Acct-Session-Id=whatever ….. >> >> >> You will need to check your NAS documentation to verify exactly what is >> required, and you will need to do some experiments to discover exactly what >> works. >> >> regards >> >> Hugh >> >> >>> >>> On Tue, 16 Oct 2012 13:22:48 +1100 >>> Hugh Irvine wrote: >>>> >>>> Hello Rohan - >>>> >>>> Depending on your exact requirements, here are the various elements you'll >>>> need. >>>> >>>> 1. an SQL database for your customer records and accounting records >>>> >>>> 2. each customer record must have accounting totals updated in real time >>>> by RADIUS interim accounting requests as well as session accounting >>>> >>>> 3. when authenticating a customer (user) you need to check the current >>>> totals in the customer record and return the appropriate RADIUS reply >>>> items (ie. time remaining and/or quota limits and/or bandwidth limits) >>>> >>>> 4. a cron job to scan the customer records periodically and if a change is >>>> required to a current customer session, run a script that calls the >>>> "radpwtst" utility with whatever COA attribute-value pairs are necessary >>>> >>>> 5. an end-of-billing period cron job to reset the totals in the customer >>>> records when the new period begins >>>> >>>> Note that Radiator itself in this scenario is only required to process the >>>> RADIUS authentication requests and accounting requests, everything else is >>>> done directly on the database with scripts. >>>> >>>> hope that helps >>>> >>>> regards >>>> >>>> Hugh >>>> >>>> ps - please give my best regards to Elon Richards and his colleagues at CW >>>> Barbados >>>> >>>> >>>> On 16 Oct 2012, at 06:03, [email protected] wrote: >>>> >>>>> Michael. >>>>> >>>>> Thanks much for the start. I am going to do some further reading to see >>>>> what i can come up with. I must also confirm COA support on our Juniper >>>>> E320 NAS devices. >>>>> >>>>> Rohan >>>>> >>>>> >>>>> On Mon, 15 Oct 2012 13:34:38 -0400 >>>>> Michael wrote: >>>>>> >>>>>> This was the hardest thing to get working and automated for me >>>>>> personally. I don't know if there is an easy way of doing it. I didn't >>>>>> find one. I accomplished it with a complicated process. It could be as >>>>>> simple as a script to execute "./radpwtst -s IP -code >>>>>> Change-Filter-Request etc....." >>>>>> >>>>>> >>>>>> My complicated process goes something like the following, but I would >>>>>> suggest making sure the above simple method works for you as I do have a >>>>>> couple nas's where CoA just doesn't work with the IOS that it has. >>>>>> >>>>>> - a script process that injects Change-Filter-Request packets into the >>>>>> radiator service, using radpwtst: >>>>>> push( @change_args, ( >>>>>> '-s', 'local radiator ip', >>>>>> '-code', 'Change-Filter-Request', >>>>>> "Timestamp=$timestamp", >>>>>> "NAS-IP-Address=$nas_ip", >>>>>> "NAS-Port=$nas_port", >>>>>> "Acct-Session-Id=$sess_id", >>>>>> "Framed-IP-Address=$ip", >>>>>> "Class=$class", >>>>>> "cisco-Policy-Up=$rate_up", >>>>>> "cisco-Policy-Down=$rate_down" >>>>>> ) >>>>>> >>>>>> - a Handler with custom Hook configured to read the cisco-Policy rate >>>>>> values from the injected packet, and look up the proper policy command >>>>>> from a radiator global variable depending on the nas-ip-address since I >>>>>> have multiple nas's that require different commands. >>>>>> eg. global variable: >>>>>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-up >>>>>> ip:sub-qos-policy-in=RATE100M >>>>>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-down >>>>>> ip:sub-qos-policy-out=RATE100M >>>>>> >>>>>> - add 2 "cisco-avpair" attributes to the packet with the up rate and >>>>>> down rate commands. These are the actual commands the NAS needs to >>>>>> change the rate limit. The policy must already be setup on your nas. >>>>>> ie: >>>>>> cisco-avpair="ip:sub-qos-policy-in=RATE100M" >>>>>> cisco-avpair="ip:sub-qos-policy-out=RATE100M" >>>>>> >>>>>> - then a custom authby that required patching to determine what nas to >>>>>> forward the packet to, since i have multiple nas's. Also another authby >>>>>> that logs this request which is not required but i wanted to log it. >>>>>> >>>>>> >>>>>> There's much more to it, but I don't want to get too deep here. it all >>>>>> pretty much revolves around building the Change-Filter-Request packet >>>>>> with "./radpwtst -code Change-Filter-Request" and ether send that to the >>>>>> nas, or inject it into radiator so you can do other things with it. >>>>>> >>>>>> >>>>>> Michael >>>>>> >>>>>> >>>>>> On 15/10/12 12:47 PM, [email protected] wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> I do not see any info on the captioned in the Radiator documentation. >>>>>>> Where do I go to see details on implementing COA? >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> Rohan >>>>>>> _______________________________________________ >>>>>>> radiator mailing list >>>>>>> [email protected] >>>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>>>> >>>>>>> >>>>> >>>>> Rohan Henry >>>>> Server Administrator >>>>> LIME >>>>> Phone (876) 936-4819 >>>>> Mobile (876) 997-0729 >>>>> _______________________________________________ >>>>> radiator mailing list >>>>> [email protected] >>>>> http://www.open.com.au/mailman/listinfo/radiator >>>> >>>> >>>> -- >>>> >>>> Hugh Irvine >>>> [email protected] >>>> >>>> Radiator: the most portable, flexible and configurable RADIUS server >>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>> DIAMETER etc. >>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>> >>> >>> Rohan Henry >>> Server Administrator >>> LIME >>> Phone (876) 936-4819 >>> Mobile (876) 997-0729 >>> _______________________________________________ >>> radiator mailing list >>> [email protected] >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> -- >> >> Hugh Irvine >> [email protected] >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. >> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >> > > Rohan Henry > Server Administrator > LIME > Phone (876) 936-4819 > Mobile (876) 997-0729 > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
