Thanks much Hugh. On Thu, 18 Oct 2012 09:26:22 +1100 Hugh Irvine <[email protected]> wrote: > >Hello Rohan - > >What I described was one typical way it is done automatically, but obviously >other methods are possible. > >regards > >Hugh > > >On 18 Oct 2012, at 02:49, <[email protected]> wrote: > >> Thanks Hugh. >> >> >> Oh Yes! I recall there was discussion around tracking usage via interim >> accounting. But its an external system (linked to our billing system) that >> will monitor user sessions for usage thresholds and initiate the COA as well >> as modify the user profile in LDAP temporarily should a user reconnect. >> >> I will need to get more feedback on how the external system will be >> initiating the COA (such as by bulk or single). Based on your description >> below it appears that COA is normally done in bulk. >> >> Rohan. >> >> >> On Wed, 17 Oct 2012 08:42:00 +1100 >> Hugh Irvine <[email protected]> wrote: >>> >>> Hello Rohan - >>> >>> See below. >>> >>> On 17 Oct 2012, at 04:11, <[email protected]> wrote: >>> >>>> Thanks Hugh, >>>> >>>> I will pass on your hello to Elon :). Seems like a bit of configuration. >>>> >>>> Are you confirming that Interim-Update is required for COA? >>> >>> Typically you want to use COA on a session that has exceeded some limit, >>> therefore you need to know when the session has exceeded whatever limit and >>> take action when it happens. >>> >>> The only way to know what is happening with an existing session using >>> RADIUS is via interim accounting. >>> >>>> And how is COA triggered from the Billing/Provisional system? >>> >>> You would have a periodic cron job or similar scan the database. >>> >>>> Is COA described anywhere in the RADIATOR documentation? >>> >>> COA is supported (or not) by the NAS equipment in question, and varies from >>> one device to another. >>> >>> Here is the help for the "radpwtst" utility: >>> >>> >>> Radiator-4.10 hugh$ perl radpwtst -h >>> >>> usage: radpwtst [-h] [-time] [-iterations n] >>> [-trace [level]] [-s server] [-secret secret] [-retries n] >>> [-noauth] [-noacct][-nostart] [-nostop] [-alive] [-status] >>> [-chap] [-chap_nc] [-mschap] [-mschapv2] [-eapmd5] [-eapotp] >>> [-eapgtc] [-sip] [-leap] >>> [-motp_secret xxxxxxxxxxxxxxxx] [-eaphex xxxxxxxxxxxxx] >>> [-accton] [-acctoff] [-framed_ip_address address] >>> [-auth_port port] [-acct_port port] [-identifier n] >>> [-user username] [-password password] >>> [-nas_ip_address address] [-nas_identifier string] >>> [-nas_port port] [-nas_port_type type] [-service_type service] >>> [-calling_station_id string] [-called_station_id string] >>> [-session_id string] [-interactive] >>> [-delay_time n] [-session_time n] [-input_octets n] >>> [-output_octets n] [-timeout n] [-dictionary file,file] >>> [-gui] [-class string] [-useoldascendpasswords] >>> [-code requestcode] [-raw data] [-rawfile filename] >>> [-rawfileseq filename] >>> [-outport port] [-bind_address dotted-ip-address] >>> [-options optionfile] >>> [attribute=value]... >>> >>> >>> You would use it something like this (depending on what specific >>> attribute-value pairs the NAS requires): >>> >>> >>> perl radpwtst -noauth -noacct -code Change-Filter-Request -s n.n.n.n >>> -auth_port nnn -secret _the_shared_secret_ User-Name=someuser >>> Acct-Session-Id=whatever ….. >>> >>> >>> You will need to check your NAS documentation to verify exactly what is >>> required, and you will need to do some experiments to discover exactly what >>> works. >>> >>> regards >>> >>> Hugh >>> >>> >>>> >>>> On Tue, 16 Oct 2012 13:22:48 +1100 >>>> Hugh Irvine wrote: >>>>> >>>>> Hello Rohan - >>>>> >>>>> Depending on your exact requirements, here are the various elements >>>>> you'll need. >>>>> >>>>> 1. an SQL database for your customer records and accounting records >>>>> >>>>> 2. each customer record must have accounting totals updated in real time >>>>> by RADIUS interim accounting requests as well as session accounting >>>>> >>>>> 3. when authenticating a customer (user) you need to check the current >>>>> totals in the customer record and return the appropriate RADIUS reply >>>>> items (ie. time remaining and/or quota limits and/or bandwidth limits) >>>>> >>>>> 4. a cron job to scan the customer records periodically and if a change >>>>> is required to a current customer session, run a script that calls the >>>>> "radpwtst" utility with whatever COA attribute-value pairs are necessary >>>>> >>>>> 5. an end-of-billing period cron job to reset the totals in the customer >>>>> records when the new period begins >>>>> >>>>> Note that Radiator itself in this scenario is only required to process >>>>> the RADIUS authentication requests and accounting requests, everything >>>>> else is done directly on the database with scripts. >>>>> >>>>> hope that helps >>>>> >>>>> regards >>>>> >>>>> Hugh >>>>> >>>>> ps - please give my best regards to Elon Richards and his colleagues at >>>>> CW Barbados >>>>> >>>>> >>>>> On 16 Oct 2012, at 06:03, [email protected] wrote: >>>>> >>>>>> Michael. >>>>>> >>>>>> Thanks much for the start. I am going to do some further reading to see >>>>>> what i can come up with. I must also confirm COA support on our Juniper >>>>>> E320 NAS devices. >>>>>> >>>>>> Rohan >>>>>> >>>>>> >>>>>> On Mon, 15 Oct 2012 13:34:38 -0400 >>>>>> Michael wrote: >>>>>>> >>>>>>> This was the hardest thing to get working and automated for me >>>>>>> personally. I don't know if there is an easy way of doing it. I didn't >>>>>>> find one. I accomplished it with a complicated process. It could be as >>>>>>> simple as a script to execute "./radpwtst -s IP -code >>>>>>> Change-Filter-Request etc....." >>>>>>> >>>>>>> >>>>>>> My complicated process goes something like the following, but I would >>>>>>> suggest making sure the above simple method works for you as I do have >>>>>>> a couple nas's where CoA just doesn't work with the IOS that it has. >>>>>>> >>>>>>> - a script process that injects Change-Filter-Request packets into the >>>>>>> radiator service, using radpwtst: >>>>>>> push( @change_args, ( >>>>>>> '-s', 'local radiator ip', >>>>>>> '-code', 'Change-Filter-Request', >>>>>>> "Timestamp=$timestamp", >>>>>>> "NAS-IP-Address=$nas_ip", >>>>>>> "NAS-Port=$nas_port", >>>>>>> "Acct-Session-Id=$sess_id", >>>>>>> "Framed-IP-Address=$ip", >>>>>>> "Class=$class", >>>>>>> "cisco-Policy-Up=$rate_up", >>>>>>> "cisco-Policy-Down=$rate_down" >>>>>>> ) >>>>>>> >>>>>>> - a Handler with custom Hook configured to read the cisco-Policy rate >>>>>>> values from the injected packet, and look up the proper policy command >>>>>>> from a radiator global variable depending on the nas-ip-address since I >>>>>>> have multiple nas's that require different commands. >>>>>>> eg. global variable: >>>>>>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-up >>>>>>> ip:sub-qos-policy-in=RATE100M >>>>>>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-down >>>>>>> ip:sub-qos-policy-out=RATE100M >>>>>>> >>>>>>> - add 2 "cisco-avpair" attributes to the packet with the up rate and >>>>>>> down rate commands. These are the actual commands the NAS needs to >>>>>>> change the rate limit. The policy must already be setup on your nas. >>>>>>> ie: >>>>>>> cisco-avpair="ip:sub-qos-policy-in=RATE100M" >>>>>>> cisco-avpair="ip:sub-qos-policy-out=RATE100M" >>>>>>> >>>>>>> - then a custom authby that required patching to determine what nas to >>>>>>> forward the packet to, since i have multiple nas's. Also another authby >>>>>>> that logs this request which is not required but i wanted to log it. >>>>>>> >>>>>>> >>>>>>> There's much more to it, but I don't want to get too deep here. it all >>>>>>> pretty much revolves around building the Change-Filter-Request packet >>>>>>> with "./radpwtst -code Change-Filter-Request" and ether send that to >>>>>>> the nas, or inject it into radiator so you can do other things with it. >>>>>>> >>>>>>> >>>>>>> Michael >>>>>>> >>>>>>> >>>>>>> On 15/10/12 12:47 PM, [email protected] wrote: >>>>>>>> Hello all, >>>>>>>> >>>>>>>> I do not see any info on the captioned in the Radiator documentation. >>>>>>>> Where do I go to see details on implementing COA? >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> Rohan >>>>>>>> _______________________________________________ >>>>>>>> radiator mailing list >>>>>>>> [email protected] >>>>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>>>>> >>>>>>>> >>>>>> >>>>>> Rohan Henry >>>>>> Server Administrator >>>>>> LIME >>>>>> Phone (876) 936-4819 >>>>>> Mobile (876) 997-0729 >>>>>> _______________________________________________ >>>>>> radiator mailing list >>>>>> [email protected] >>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>> >>>>> >>>>> -- >>>>> >>>>> Hugh Irvine >>>>> [email protected] >>>>> >>>>> Radiator: the most portable, flexible and configurable RADIUS server >>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>>> DIAMETER etc. >>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>>> >>>> >>>> Rohan Henry >>>> Server Administrator >>>> LIME >>>> Phone (876) 936-4819 >>>> Mobile (876) 997-0729 >>>> _______________________________________________ >>>> radiator mailing list >>>> [email protected] >>>> http://www.open.com.au/mailman/listinfo/radiator >>> >>> >>> -- >>> >>> Hugh Irvine >>> [email protected] >>> >>> Radiator: the most portable, flexible and configurable RADIUS server >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>> DIAMETER etc. >>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>> >> >> Rohan Henry >> Server Administrator >> LIME >> Phone (876) 936-4819 >> Mobile (876) 997-0729 >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > >-- > >Hugh Irvine >[email protected] > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. >Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >
Rohan Henry Server Administrator LIME Phone (876) 936-4819 Mobile (876) 997-0729 _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
