RE: [Radiusplugin-users] Anyone knows how to use Radiusplugin to limit client's traffic?

[Tony Zhou]

Here's the steps to enable a very-rough traffic limit on Freeradius+OpenVPN:

I'm using Freeradius 2.1.0 + Postgresql 8.4.4, enabled a traffic limit for
group users of 5G/month

1. Add a row in db, set the limit

Insert into radgroupreply (groupname, attribute, op, value) values ('user',
'Max-Monthly-Traffic', ':=', '5368709120');

Units in bytes

2. Detects the user's traffic before login, if exceeds reject the
authentication

Add the following line to /etc/freeradius/sites-enabled/default, in the
authorization section:

if ("%{sql: SELECT SUM(acctinputoctets+acctoutputoctets) FROM radacct WHERE
username='%{User-Name}' AND date_trunc('day', acctstarttime) >= date_trunc
('month', current_date) AND date_trunc('day', acctstoptime) <=
last_day(current_date);}" >= "%{sql: SELECT value FROM radgroupreply WHERE
attribute='Max-Monthly-Traffic';}") {
                reject
        }
3. Define the lastday() function in db

Since I used time period of 1st and the last day in a month, the date need
to be defined.

This function is from http://wiki.postgresql.org/wiki/Date_LastDay

CREATE OR REPLACE FUNCTION last_day(date)
RETURNS date AS
$$
  SELECT (date_trunc('MONTH', $1) + INTERVAL '1 MONTH - 1 day')::date;
$$ LANGUAGE 'sql' IMMUTABLE STRICT;

4. Define Max-Monthly-Traffic in dictionary

Add line:
Attribute Max-Monthly-Traffic 3003 interger

Restart freeradius and openvpn and the traffic limit applies.

I'm a newbie to pgsql and freeradius, so the script is quite rough. Any
suggestions are welcomed.

BTW, this script cannot kick user off on realtime, since acctinputoctet and
acctoutputoctet would not update until user logs off. Ralf suggested to use
reneg-sec to force user to re-authenticate to refresh and detect the traffic
used.


-----Original Message-----
From: Ralf Lübben [mailto:address@hidden 
Sent: Tuesday, June 08, 2010 4:07 PM
To: address@hidden
Cc: Tony Zhou
Subject: Re: [Radiusplugin-users] Anyone knows how to use Radiusplugin to
limit client's traffic?

Hi,

the RADIUS server can support it in combination with OpenVPN:

1) The RADIUS server cannot disconnect a user from OpenVPN, but OpenVPN re-
authenticates a user in a specific interval which can be configured with the
option "--reneg-sec", than the authentication/re-authentication will fail,
if the user exceeds a traffic limit. 
So the traffic limit will not be kept exactly but approximately.

2) The RADIUS server can reject authentication requests, if the some values
are exceeded. This is implemented by "Rlm_sqlcounter", examples can be found
in the freeradius directory "freeradius/sql/postgresql", a installation
guide at http://wiki.freeradius.org/Rlm_sqlcounter .
You should consider the RADIUS accounting attributes "Acct-Input-Octets",
"Acct-Output-Octets", "Acct-Input-Gigawords" and "Acct-Output-Gigawords".


I would be great if you can post a complete solution if you find one.

Regards,
Ralf 




Am Dienstag, 8. Juni 2010 03:56:55 schrieb Tony Zhou:
> Hi all,
> 
> 
> 
> I'm running Freeradius 2.1+Postgresql 8.4.4+OpenVPN on Ubuntu 9.10 
> x86. It runs smoothly now, however, I want to know that if there is 
> any way to  limit per user's traffic, like 10G/month, and 
> disconnect/reject their  connection when the limitation has been reached.
> 
> 
> 
> I have asked this on FreeRADIUS maillist and they said that is NAS 
> client related. Is there any function in Radiusplugin or any 
> additional script could do this?
> 
> 
> 
> Thanks in advance.
>