Freeradius Data Limits

Posted on 2014-03-09
Medium Priority
Last Modified: 2014-05-14
Dear Experts,

We are currently testing Freeradius + MySQL on Centos 6 x64 using Mikrotik as a client. Basic testing with the RadCheck and RadReply is working fine i.e. simultaneous logins, rate limits. We are now looking to implement data limits and additional data bundles.

Having searched google for days for some guides on how to do this I have come up blank. If someone could point me in the right direction on how to config rlm_sqlcounter etc it would be very useful.

Question by:bluewaveit
  • 8
  • 6
LVL 81

Expert Comment

ID: 39915875
What you are looking for deals with the accounting portion.
When the user logs in, the router will send a notification back start record. At the conclusion it reports an end to session stop record that includes duration and amount of data transferred.
The other interpretation is that you want to designate the bandwidth each user has.  You need to look at microtik dealing with what settings/parameter it needs to receive to set the bandwidth/rate limit on the specific connection.

Freeradius is extremely flexible, the settings you configure for reply items, will be sent.
The variances are configurable/adjustable within the dictionary files. I.e. There might be a vendor-specific attribute that microtik has that is not included in the prepackaged dictionary files. This minimizes the fixed configuration on microtik. I.e. To achieve what you are looking for there might have to be 5 reply-items directing the microtik to set the connection specific settings.

I am unfamiliar with microtik, but it might be simpler if such an option exist to predefine "groups" within microtik that sets the data rate, etc. and all freeradius reply-items need to send is the "set group" as a reply item. Everything else is then set.

The main difference between the two approaches deals with flexibility.  The preconfigured option means that should additional options/ranges are needed or eliminated, you would need to go back into the device to reconfigure. While the other, allows you to modify what reply items are sent and that is done.

This might not be applicable to the version you have:

Here is a discussion on microtik's forum.
The indication suggests that rate limiting is achieved through queuing which depending on the number of user could mean a higher hit on the routers load/performance.


Author Comment

ID: 39916116
Thank you for the reply, I should have detailed this earlier. We are a small WISP and currently run on a layer 2 network, this has grown much faster than we anticipated and now we are migrating to a layer 3 based setup, utilising OSPF as the routing protocol. We currently provide a range of services, most of which have data usage limits. When a customer hits the limit our system limits the rate of connection.

We want to replicate this with Freeradius but also provide an option to buy more data through bundles, I know freeradius can do this and people are currently doing it with Mikrotik routers in the setup.

I suppose what I am really after is some sort of walkthrough just to get the basics. I know it will involve perl scripts to reset the time and data counters at the end of the month.
LVL 81

Expert Comment

ID: 39916165
OK, so you are looking at the accounting data accumulation.
You presumably will have a perl script that will monitor the microtek for active users and their current usage for the purposes of altering the configuration of the active users.
freeradius as part of the reply items will also have to use logic to query the mysql table to adjust the user allowable bandwidth.
you could use triggers/views for a user, allowable_bandwidth/rate table.

What setup do you already have?
accounting data going into mysql?
Do you get accounting events of current usage count i.e. every five minutes .. interim update/alive session
i.e you get a start when the session starts and you get a stop for a total usage at the end session.
Some also get periodic notification that reflects the current data usage while the session remains on. You need this information if you want to have the option to rate limit an active user rather than rate limit the user on their next login.

There are different examples of freeradius+mysql and rate limiting, a quick scan showed many cisco related examples.

Any example can be adapted to meet your needs/hardware through the understanding of what microtek expects as a reply item to set the parameters.
The change in an active session is coded within the perl/monitoring script that checks for sessions on the microtik router.

Any changes to a user's entry in the mysql could be built-into the session checker perl script to reset/adjust the restrictions
The reply items will function automatically through the logic that deals with allowed/permitted data  versus current usage.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 39916259
Our current setup is Freeradius-MySQL, as I mentioned at the start we have successfully authenticated a user with an IP and route out. Also using the mikrotik attribute for rate limiting (Mikrotik-Rate-Limit). The NAS table has our two test Mikrotiks listed and they are both handling the requests limiting the speed accordingly.

The radacct table is being populated with stats, it will be updating at the default intervals for the session.

I have two example perl  scripts that I have copied from a book on freeradius, one to reset the time counters and one to reset the data counters. I am just unsure how everything pieces together.
LVL 81

Expert Comment

ID: 39916371
What issue are you looking at this point?
I believe in your current configuration, a user as long as they remain connected can exceed your data limits in one session without the rate limiting kicking in. And I think this is what you would like to curb.

When your active session checker on the mikrotik is running, is one of the data sets include the current amount of data transferred?
i.e username, starttime, NAS/port information, active time, amount of data transferred, etc.?

Author Comment

ID: 39924793
sorry for the delay in replying, i have been busy on other urgent Windows server issues.
Going back to the question, we are looking for the following:

User logs in at the beginning of the month
Counters will log data both in and out traffic
We need the counter to work on all sessions within the month
When the user 'hits' the data limit , a new connection speed to applied to the connection
All counters reset at the end of the month,, ready for the following month.

If a customer were to use it all in one session it doesn't matter. If they go the whole without hitting it, it doesn't matter. We need to collect the data usage regardless and provide graphing showing the usage month by month.
LVL 81

Expert Comment

ID: 39925099
YOu need to configure on your microtik the accounting portion that sends accounting data back to port 1813.

You then need to make sure the accounting start/stop (includes both the start time and the stop time, duration, amount of data transferred/received) and theses should be goining into the radacct tables.
I believe there is a way to update the user table where the current usage is append to the existing information about amount  transferred within the same table as the users' username/password,etc/..

The usage data to graph can be collected/created by using other tools and pulling the data from the radacct table directly performing all the necessary computation during this process.
THe script to reset is fairly straight forward, at 11:59:50pm
is will issue update user set data_transfer_data_counter=0 where username_is_still_active_table

if you want to impose the rate limiter while the user is in session, that can be done with the script that connects to the microtik to check for active session versus the radcheck table in mysql i.e. there could be a session that a stop record was not received in mysql while the user is not active..

Author Comment

ID: 39932846
I will try out what you have suggested, i have also been reading a good book on freeradius and that has some good information. I will post an update as soon as i have something resembling a solution.

Author Comment

ID: 39977902
I am now at the point where i am willing to pay someone who knows to assist in this project. If anyone thinks they can help, please get in touch.
LVL 81

Expert Comment

ID: 39977940
What is the issue you are dealing with?  Does microtik report back accounting records?
Is the issue related to getting the accounting records into the radacct table?

Author Comment

ID: 39978027
The RADACCT table is being populated with counters for each session. I need to use that information with sqlcounter and/or backcounter to then enforce a speed throughput cap that can then be over written with the purchase of more data allowance.
LVL 81

Accepted Solution

arnold earned 1500 total points
ID: 39978117
Before going through with the enforcement part, you have to create a trigger on the radacct table that will update the sqlcounter presumably on the users table with the amount of data from the session.

Does your users table have the usage, threshold columns?

Are you only adding stop/start records or do you also use keep alive session where the current session data usage is being reported?

Assisted Solution

bluewaveit earned 0 total points
ID: 40053330
sorry for the delay, i have been away on holiday and then on training courses. I have flatten my radius server and started again. on my training course we covered a small part of this and i think i now have better understanding of it all pieces together.

i will let you know my process.

Author Closing Comment

ID: 40064003
I am closing this question as i am dropping the project.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post contains step-by-step instructions for setting up alerting in Percona Monitoring and Management (PMM) using Grafana.
In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question