Re: rlm_sqlcounter and something else than Session-Timeout
I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. It is possible, but that depends on your NAS equipment. Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. It is possible, but that depends on your NAS equipment. Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends. BTW. Chillispot (free software) also supports ChilliSpot-Max-Input-Octets and ChilliSpot-Max-Output-Octets atributes, if you want to separatelly limit the traffic. All the radius attributes Chillispot supports are documented here: http://www.chillispot.org/features.html#mozTocId36714 -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Jonathan De Graeve [EMAIL PROTECTED] wrote: ... That's the reason (IMHO) most people want the possibility to set the reply attribute. So submit a patch, or find a patch that exists, and say publicly that it works for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Damjan wrote: I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets. I beleive this is not configurable in rlm_sqlcounter? Indeed. I could try to make a patch if someone is willing to help me and guide me a bit. I'd suggest to make the reply attribute user-defined (like the check attribute). You might add an option reply-name with Session-Timeout as the default value, so it doesn't break someone else's setup. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
I think he wants Session-Octets-Limit to be sent back for limiting traffic passed thru for each user. I've changed the plain counter module so it sends back my attribute ;), and I think this could be done for sqlcounter as well. I really don't know why everybody is telling that such config would be impossible. It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ? Nicolas - the reply-name option is used for what? For sending back the value in an specific attribute? Couldn't this be used for Damjan's purpose then? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Baradakis Sent: Dienstag, 20. Dezember 2005 11:48 To: FreeRadius users mailing list Subject: Re: rlm_sqlcounter and something else than Session-Timeout Damjan wrote: I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets. I beleive this is not configurable in rlm_sqlcounter? Indeed. I could try to make a patch if someone is willing to help me and guide me a bit. I'd suggest to make the reply attribute user-defined (like the check attribute). You might add an option reply-name with Session-Timeout as the default value, so it doesn't break someone else's setup. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin wrote: I think he wants Session-Octets-Limit to be sent back for limiting traffic passed thru for each user. I've changed the plain counter module so it sends back my attribute ;), and I think this could be done for sqlcounter as well. Are you using version 1.0.5 or a CVS snapshot? I just looked at rlm_counter for the first time: there is an option return-attribute in CVS head for that purpose, but it doesn't exist in rlm_sqlcounter. If you're using 1.0.5, I don't know how you manage to return the value in Session-Octets-Limit. As to my understanding of rlm_counter.c, the reply attribute is hard-coded to Session-Timeout. Nicolas - the reply-name option is used for what? For sending back the value in an specific attribute? Couldn't this be used for Damjan's purpose then? I think we need such an option to configure either time or traffic counters. And perhaps reply-attribute would be a better name than reply-name. Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin [EMAIL PROTECTED] wrote: I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. This has been discussed multiple times on the list over the past 5 years. It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ? If you know what you want, write a patch, and we'll review it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Alan DeKok wrote: Seferovic Edvin [EMAIL PROTECTED] wrote: I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. This has been discussed multiple times on the list over the past 5 years. Well in theory, one can write an exec-program or such, call it during accounting, and if appropriate disconnect the user utilizing something like telnet scripts, snmp, radius packet of disconnect and so on so forth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 20. Dezember 2005 17:30 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: rlm_sqlcounter and something else than Session-Timeout Seferovic Edvin [EMAIL PROTECTED] wrote: I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. I do NOT want to limit or change the limit during a session. I just want to limit it for a session ( confusing - huh )! Consider following: 1. User start to log in by using PPTP or PPPOE ( my cases ) 2. sqlcounter sums up the used traffic, and makes substracts it from a limit defined 3. freeradius returns Session-Octets-Limit with the value from sqlcounter which is the actual limitation. Freeradius should also return Session-Octet-Direction because the traffic limitation AFAIK a feature of PPP and PPP needs to know if it should monitor upload, download, or use the limit for max(upload+download). 4. the server running pptp, or pppoe gets the limit and sets the value for the users current session. 5. if user reaches the limit, his connection is terminated ( I've seen logs and this works ;) ). If he tries to log again, he won't be allowed because sqlcounter will provide 0 or negative value. 6. if user terminates his connection before reaching the limit, the accounting data will be passed to sql. By the time he wants to connect again, we will have the same game over. The catch is - PPP always lets user have a little bit more than the limit actually is ( 10kB sometimes ), so the sqlcounter won't have to return values like 2 or 5 bytes as a limit because the user will be way over quota. I will have to dig into PPP implementation to see how this works actually. The next catch is - simultaneous logins - NO WAY ! here comes the impossible part. You cannot limit traffic for 2 simultaneous connections - reason : the session limit is only passed once to the service which uses freeradius AAA features and it is not sent every few seconds or so. THERE IS MORE This has been discussed multiple times on the list over the past 5 years. It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ? If you know what you want, write a patch, and we'll review it. Alan DeKok. Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named Reply-Attribute and people could use to enter Session-Timeout or Session-Octets-Limit depending on their need and usage of freeradius. I know that this is not a perfect or even a good solution, because it is not a limitation in real-time, but considering many systems ( like smaller ISP use ) this solution is even more then enough for their needs. Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin [EMAIL PROTECTED] wrote: I do NOT want to limit or change the limit during a session. I just want to limit it for a session As I was trying to say that in general, you CANNOT do this. You can check if they're over the limit at the START of a session. The NAS will *not* check the limit during a session, and the server can't check the limit during a session. So if they're under the limit at the start of the session, they can go over during the session, and no one will notice. This has NOTHING to do with changing the limits during a session. 3. freeradius returns Session-Octets-Limit with the value from sqlcounter which is the actual limitation. If the NAS supports this, it may work. But 99.% of the NASes do NOT support this. It's not a standard, and it's not a common vendor extension to RADIUS. Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named Reply-Attribute and people could use to enter Session-Timeout or Session-Octets-Limit depending on their need and usage of freeradius. I can't test that, sorry. I'd rather see a patch that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin wrote: If you know what you want, write a patch, and we'll review it. Alan DeKok. Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named Reply-Attribute and people could use to enter Session-Timeout or Session-Octets-Limit depending on their need and usage of freeradius. If I need a feature in a free software package that isn't there, I sponsor it if I can't wait till it *might* get done one day. Suggest you take the same approach. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
So if they're under the limit at the start of the session, they can go over during the session, and no one will notice. This has NOTHING to do with changing the limits during a session. The problem I think most people (and also me) now have appears when you have max-octet limits. If a user exceeded his monthly usage, he can't login anymore until the next month starts. But if he didn't so the remainder is returned as Session-Timeout. The problem with this is that all nasses take this value as 'seconds' instead as octets which will logout a user. Lets say if he got 4GB as remainder, the system will logout the user in 4s (which isn't the behaviour we want offcourse) That's the reason (IMHO) most people want the possibility to set the reply attribute. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
OK, now I've understood that it's a NAS problem. ( Maybe my bad knowledge of english language is guilty for that - sorry ). Lewis suggested that I sponsor your project... well I would if I really needed this feature so badly ;) and since I am just only a student, I might try hacking the freeradius code. In my scenario, I use Poptop and RP-PPPoE server as NAS ( by the way ). Alan should I write a patch for 1.0.5 or should I wait for 1.1.0, or just take the daily from CVS? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 20. Dezember 2005 19:53 To: freeradius-users@lists.freeradius.org Subject: Re: rlm_sqlcounter and something else than Session-Timeout Seferovic Edvin [EMAIL PROTECTED] wrote: I do NOT want to limit or change the limit during a session. I just want to limit it for a session As I was trying to say that in general, you CANNOT do this. You can check if they're over the limit at the START of a session. The NAS will *not* check the limit during a session, and the server can't check the limit during a session. So if they're under the limit at the start of the session, they can go over during the session, and no one will notice. This has NOTHING to do with changing the limits during a session. 3. freeradius returns Session-Octets-Limit with the value from sqlcounter which is the actual limitation. If the NAS supports this, it may work. But 99.% of the NASes do NOT support this. It's not a standard, and it's not a common vendor extension to RADIUS. Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named Reply-Attribute and people could use to enter Session-Timeout or Session-Octets-Limit depending on their need and usage of freeradius. I can't test that, sorry. I'd rather see a patch that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin [EMAIL PROTECTED] wrote: Alan should I write a patch for 1.0.5 or should I wait for 1.1.0, or just take the daily from CVS? Make the patch against 1.1.0-pre0, which should be good enough. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter and something else than Session-Timeout
Currently rlm_sqlcounter sums all the session time used by a user, via a MySQL query (summing all the AcctSessionTime) and returns a coresponding Session-Timeout reply to the nas. Now, in my application, I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets. I beleive this is not configurable in rlm_sqlcounter? I could try to make a patch if someone is willing to help me and guide me a bit. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html