Enforcing Bandwidth caps (quotas)

Author	All Replies
joeyconcrete join:2004-10-10	Enforcing Bandwidth caps (quotas) Whats the best way to go about enforcing bandwidth caps on a per user basis. If I have a user on RADIUS is there a way to enforce a set amount of data transfer per month (e.g 20gb). Once the user has reached their quota the PPPoE Concentrater/NAS disconnects them or reduces their speed to say 64k? I'm guessing this would require some special features on the access-device/concentrator to allow this, and may require some fancy stuff on the RADIUS server to calculate the ongoing quotas? Or am I wishing for too much
	to forum · permalink · · 2005-05-17 16:40:57 ·
sporkme drop the crantini and move it, sister Premium,MVM join:2000-07-01 Budd Lake, NJ ·Optimum Online	What I'm describing would work with PPPoE and radius, but I have no idea how wireless gear that does authentication/accounting with radius would work. Do any of the devices provide account session byte counts? If so, then the below would apply... I'm not going to say it's easy, but as long as you timeout your sessions after say, 24 hours or whatever granularity you need, you should have the info. Each time the access server sends the accounting "stop" packet, it should include a "bytes transferred" number that will get stashed in your radius sql backend (yeah, you really want to use a sql-backed radius server like gnu-radius, freeradius, radiator). Part of your "can they auth" sql query can total up the bytes transferred and deny access, or possibly send a custom reply to your access server device to throttle them.
	to forum · permalink · · 2005-05-17 17:29:15 ·
joeyconcrete join:2004-10-10	Thanks for the reply. I understand what you're saying about the "stop" accounting messages, but as you pointed out - these are only available when a session has ended. There's the interim accounting which I understand. What I'm wondering is there a way whereby you can actively disconnect a session by sending a "message" of some sort from the RADIUS server. Almost like a "stop" message sent to the access-device. The less elegant solution of disconnecting their session very xxx hours would work - I'm presuming a session-timeout will drop the PPP connection entirely?
	to forum · permalink · · 2005-05-18 18:03:57 ·
sporkme drop the crantini and move it, sister Premium,MVM join:2000-07-01 Budd Lake, NJ ·Optimum Online	said by joeyconcrete : What I'm wondering is there a way whereby you can actively disconnect a session by sending a "message" of some sort from the RADIUS server. Almost like a "stop" message sent to the access-device. The less elegant solution of disconnecting their session very xxx hours would work - I'm presuming a session-timeout will drop the PPP connection entirely? While I've seen Radius bent into some strange shapes, usually this is done when the session is started. That sounds crazy, but think of RAS gear... A user dials in, and the radius server OK's him. Along with that information, it may also specify the user has an idle-timeout of 10 minutes, a session-timeout of 8 hours, etc. So in that case, lots of the "counting" is really done on the radius client. Sometimes the radius server and the client may both be doing some neat stuff that in combination leads to something like "this user can have X bytes/month". Now how radios implement this, I have no idea. My day job is totally wired.
	to forum · permalink · · 2005-05-19 01:51:07 ·
joeyconcrete join:2004-10-10	Wired/Wireless, I guess ultimately it ends up at a concentrator. After scanning the web, it appears its only possible using "special" implementations or specialist software. For example, BT's broadband in the UK limits you to 10gb @ 512kb, then once you're quota is exceeded your speed is throttled to 64k. I'm guessing this is using some specialist kit as opposed to a simple concentrator/RADIUS pairing. Google seems to throw up companies like Allot and Packeteer - they have fancy things like policy managers etc - but all look very expensive!
	to forum · permalink · · 2005-05-19 12:22:42 ·
totalaccess Premium join:2002-10-04 Elgin, TX	reply to joeyconcrete We built our own BCU's and have had great success in traffic shapping and capping PTP traffic. We placed our BCU's at the base of each system where the bandwidth comes in and use the system a transparent bridge on the network. -- Deploying Global Solutions: »www.wirelessworlds.com
	to forum · permalink · · 2005-05-22 02:51:41 ·
GuyS25 join:2003-12-26 England	reply to joeyconcrete It's a one vendor solution but Mikrotik can do this with a script. No PPPoE concentrator or radius server required. HTH
	to forum · permalink · · 2005-05-22 05:19:50 ·
joeyconcrete join:2004-10-10	For anybody who's interested I found two relevant RFCs. RFC 3576 - Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) RFC 2882 - Network Access Servers Requirements: Extended RADIUS Practices These refer to "Disconnect Messages" and "Change-of-Authorization Messages (CoA)". To basically allows a RADIUS server to disconnect an active session by sending a specially formed packet to the Access server. Certain Cisco device support this (Cisco called it Ping of Disconnect, POD) and I 'think' other vendors do (Chillispot does for instance. Using this its relatively easy to write a script which monitors the RADIUS accounting-database, when a quota is reached the message can be sent to the NAS.
	to forum · permalink · · 2005-05-22 19:09:08 ·
totalaccess Premium join:2002-10-04 Elgin, TX	reply to GuyS25 again we do this at the base where the bandwidth hits the system, on a dual etherne unit instead of attached to any AP. Having your AP do bandwidth control is a bad idea. -- Deploying Global Solutions: »www.wirelessworlds.com
	to forum · permalink · · 2005-05-23 00:32:33 ·


Tuesday, 02-Dec 15:54:10	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF