Freeradius Data Limits

Dear Experts,

We are currently testing Freeradius + MySQL on Centos 6 x64 using Mikrotik as a client. Basic testing with the RadCheck and RadReply is working fine i.e. simultaneous logins, rate limits. We are now looking to implement data limits and additional data bundles.

Having searched google for days for some guides on how to do this I have come up blank. If someone could point me in the right direction on how to config rlm_sqlcounter etc it would be very useful.

Who is Participating?
Before going through with the enforcement part, you have to create a trigger on the radacct table that will update the sqlcounter presumably on the users table with the amount of data from the session.

Does your users table have the usage, threshold columns?

Are you only adding stop/start records or do you also use keep alive session where the current session data usage is being reported?
What you are looking for deals with the accounting portion.
When the user logs in, the router will send a notification back start record. At the conclusion it reports an end to session stop record that includes duration and amount of data transferred.
The other interpretation is that you want to designate the bandwidth each user has.  You need to look at microtik dealing with what settings/parameter it needs to receive to set the bandwidth/rate limit on the specific connection.

Freeradius is extremely flexible, the settings you configure for reply items, will be sent.
The variances are configurable/adjustable within the dictionary files. I.e. There might be a vendor-specific attribute that microtik has that is not included in the prepackaged dictionary files. This minimizes the fixed configuration on microtik. I.e. To achieve what you are looking for there might have to be 5 reply-items directing the microtik to set the connection specific settings.

I am unfamiliar with microtik, but it might be simpler if such an option exist to predefine "groups" within microtik that sets the data rate, etc. and all freeradius reply-items need to send is the "set group" as a reply item. Everything else is then set.

The main difference between the two approaches deals with flexibility.  The preconfigured option means that should additional options/ranges are needed or eliminated, you would need to go back into the device to reconfigure. While the other, allows you to modify what reply items are sent and that is done.

This might not be applicable to the version you have:

Here is a discussion on microtik's forum.
The indication suggests that rate limiting is achieved through queuing which depending on the number of user could mean a higher hit on the routers load/performance.
bluewaveitAuthor Commented:
Thank you for the reply, I should have detailed this earlier. We are a small WISP and currently run on a layer 2 network, this has grown much faster than we anticipated and now we are migrating to a layer 3 based setup, utilising OSPF as the routing protocol. We currently provide a range of services, most of which have data usage limits. When a customer hits the limit our system limits the rate of connection.

We want to replicate this with Freeradius but also provide an option to buy more data through bundles, I know freeradius can do this and people are currently doing it with Mikrotik routers in the setup.

I suppose what I am really after is some sort of walkthrough just to get the basics. I know it will involve perl scripts to reset the time and data counters at the end of the month.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

OK, so you are looking at the accounting data accumulation.
You presumably will have a perl script that will monitor the microtek for active users and their current usage for the purposes of altering the configuration of the active users.
freeradius as part of the reply items will also have to use logic to query the mysql table to adjust the user allowable bandwidth.
you could use triggers/views for a user, allowable_bandwidth/rate table.

What setup do you already have?
accounting data going into mysql?
Do you get accounting events of current usage count i.e. every five minutes .. interim update/alive session
i.e you get a start when the session starts and you get a stop for a total usage at the end session.
Some also get periodic notification that reflects the current data usage while the session remains on. You need this information if you want to have the option to rate limit an active user rather than rate limit the user on their next login.

There are different examples of freeradius+mysql and rate limiting, a quick scan showed many cisco related examples.

Any example can be adapted to meet your needs/hardware through the understanding of what microtek expects as a reply item to set the parameters.
The change in an active session is coded within the perl/monitoring script that checks for sessions on the microtik router.

Any changes to a user's entry in the mysql could be built-into the session checker perl script to reset/adjust the restrictions
The reply items will function automatically through the logic that deals with allowed/permitted data  versus current usage.
bluewaveitAuthor Commented:
Our current setup is Freeradius-MySQL, as I mentioned at the start we have successfully authenticated a user with an IP and route out. Also using the mikrotik attribute for rate limiting (Mikrotik-Rate-Limit). The NAS table has our two test Mikrotiks listed and they are both handling the requests limiting the speed accordingly.

The radacct table is being populated with stats, it will be updating at the default intervals for the session.

I have two example perl  scripts that I have copied from a book on freeradius, one to reset the time counters and one to reset the data counters. I am just unsure how everything pieces together.
What issue are you looking at this point?
I believe in your current configuration, a user as long as they remain connected can exceed your data limits in one session without the rate limiting kicking in. And I think this is what you would like to curb.

When your active session checker on the mikrotik is running, is one of the data sets include the current amount of data transferred?
i.e username, starttime, NAS/port information, active time, amount of data transferred, etc.?
bluewaveitAuthor Commented:
sorry for the delay in replying, i have been busy on other urgent Windows server issues.
Going back to the question, we are looking for the following:

User logs in at the beginning of the month
Counters will log data both in and out traffic
We need the counter to work on all sessions within the month
When the user 'hits' the data limit , a new connection speed to applied to the connection
All counters reset at the end of the month,, ready for the following month.

If a customer were to use it all in one session it doesn't matter. If they go the whole without hitting it, it doesn't matter. We need to collect the data usage regardless and provide graphing showing the usage month by month.
YOu need to configure on your microtik the accounting portion that sends accounting data back to port 1813.

You then need to make sure the accounting start/stop (includes both the start time and the stop time, duration, amount of data transferred/received) and theses should be goining into the radacct tables.
I believe there is a way to update the user table where the current usage is append to the existing information about amount  transferred within the same table as the users' username/password,etc/..

The usage data to graph can be collected/created by using other tools and pulling the data from the radacct table directly performing all the necessary computation during this process.
THe script to reset is fairly straight forward, at 11:59:50pm
is will issue update user set data_transfer_data_counter=0 where username_is_still_active_table

if you want to impose the rate limiter while the user is in session, that can be done with the script that connects to the microtik to check for active session versus the radcheck table in mysql i.e. there could be a session that a stop record was not received in mysql while the user is not active..
bluewaveitAuthor Commented:
I will try out what you have suggested, i have also been reading a good book on freeradius and that has some good information. I will post an update as soon as i have something resembling a solution.
bluewaveitAuthor Commented:
I am now at the point where i am willing to pay someone who knows to assist in this project. If anyone thinks they can help, please get in touch.
What is the issue you are dealing with?  Does microtik report back accounting records?
Is the issue related to getting the accounting records into the radacct table?
bluewaveitAuthor Commented:
The RADACCT table is being populated with counters for each session. I need to use that information with sqlcounter and/or backcounter to then enforce a speed throughput cap that can then be over written with the purchase of more data allowance.
bluewaveitAuthor Commented:
sorry for the delay, i have been away on holiday and then on training courses. I have flatten my radius server and started again. on my training course we covered a small part of this and i think i now have better understanding of it all pieces together.

i will let you know my process.
bluewaveitAuthor Commented:
I am closing this question as i am dropping the project.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.