Kicking Out a User When Bandwidth is Exhausted Using POD Radius Packet - Uelekezo

Uelekezo

Jijuze Jiarifu

Breaking

Home Top Ad

_

Tuesday 20 December 2022

Home WISPR Kicking Out a User When Bandwidth is Exhausted Using POD Radius Packet

Kicking Out a User When Bandwidth is Exhausted Using POD Radius Packet

Configuring Originate Change of Authority (COA) Packet From Freeradius Version 3.0 - POD-packet of disconnect






WHY: 


When a connected user exhausts their allocated bandwidth they are not logged out immediately until the next Acct-Interim-Interval elapses. In order to disconnect without delay you can use the originate coa and radius packet of disconnect (POD) to achieve this.


DRAWBACKS: 

There is an added overhead on the database engine especially in the select query that computes 
 (SUM(ACCTINPUTOCTETS) + SUM(ACCTINPUTOCTETS)))  FROM RADACCT

 SELECT VALUE FROM RADCHECK WHERE USERNAME="*" AND ATTRIBUTE="ChilliSpot-Max-Total-Octets"

The latter select statement are performed periodically and can cause the mentioned unnecessary overhead on the RDBMS.

DISCLAIMER: For large networks it is discouraged, else you can upgrade to a highly performant RDBMS that handles Radius Accounting.

MERITS: 

The WISPR network will be highly responsive in handling session timedout clients and facilitate for quick redirects to the captive portal. Server configuration files are the following:

    1. /etc/freeradius/3.0/sites-available/originate-coa
    2. /etc/freeradius/3.0/clients.conf
    3. /etc/chilli/defaults
    4. /etc/freeradius/3.0/sites-enabled/default

SUMMARY – QUICK & EASY STARTUP

APPEND BELOW CONTENTS TO END OF /etc/freeradius/3.0/clients.conf 

home_server example-coa {
        type = coa

        #
        #  Note that a home server of type "coa" MUST be a real NAS,
        #  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
        #  server.
        #
        #  Change this IP address to the IP address of the NAS.
        #
        ipaddr = 10.1.0.1
        port = 3799

        #  This secret SHOULD NOT be the same as the shared
        #  secret in a "client" section.
        #secret = testing1234
        secret = radpass

        #  CoA specific parameters.  See raddb/proxy.conf for details.
        coa {
                irt = 2
                mrt = 16
                mrc = 5
                mrd = 30
        }
}
# NOTE: above contents are derived from /etc/freeradius/3.0/sites-available/originate-coa 

# → Port 3799 – is the CoovaChilli COA port and can be setup by adding the following entry into the file:

       /etc/chilli/defaults  

CONFIGURING COA SUPPORT ON NAS (COOVACHILLI)


APPEND THE FOLLOWING ENTRY into the /etc/chilli/defaults  

HS_COAPORT=3799
~                                                                                                                                                     
~                                                                                                                                                     
~
# RESTART COOVACHILLI - >
uelekezo@WISPR > cat /etc/chilli/defaults | grep HS_COA
HS_COAPORT=3799
uelekezo@WISPR > # restarting coovachilli service
uelekezo@WISPR > sudo systemctl restart chilli
uelekezo@WISPR > systemctl status chilli
 chilli.service - LSB: Start CoovaChilli daemon at boot time
     Loaded: loaded (/etc/init.d/chilli; generated)
     Active: active (running) since Sat 2022-12-17 10:34:53 EAT; 9s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 39625 ExecStart=/etc/init.d/chilli start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 3966)
     Memory: 4.4M
        CPU: 481ms
     CGroup: /system.slice/chilli.service
             └─39754 /usr/sbin/chilli -c /etc/chilli.conf

Dec 17 10:34:54 lab-HP-15-Notebook-PC chilli[39754]: Username must be included in disconnect request
Dec 17 10:34:54 lab-HP-15-Notebook-PC chilli[39754]: bad idx (-1)
Dec 17 10:34:54 lab-HP-15-Notebook-PC chilli[39754]: RADIUS id 4 was not found in queue!
Dec 17 10:34:54 lab-HP-15-Notebook-PC chilli[39754]: Username must be included in disconnect request
Dec 17 10:34:54 lab-HP-15-Notebook-PC chilli[39754]: bad idx (-1)
Dec 17 10:34:54 lab-HP-15-Notebook-PC chilli[39754]: RADIUS id 3 was not found in queue!
Dec 17 10:34:56 lab-HP-15-Notebook-PC chilli[39754]: Username must be included in disconnect request
Dec 17 10:34:56 lab-HP-15-Notebook-PC chilli[39754]: Username must be included in disconnect request
Dec 17 10:35:01 lab-HP-15-Notebook-PC chilli[39754]: Username must be included in disconnect request
Dec 17 10:35:01 lab-HP-15-Notebook-PC chilli[39754]: Username must be included in disconnect request
uelekezo@WISPR > # check that COA PORT on UDP port 3799 is Listening for incoming connects
uelekezo@WISPR > sudo lsof -i :3799
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chilli  39754 chilli    3u  IPv4 460467      0t0  UDP *:3799 
uelekezo@WISPR >


ENABLE IMPLICIT CLIENT DISCONNECT WHEN CLIENT HAS EXHAUSTED THEIR ALLOCATED BANDWIDTH

The originate coa – freeradius module will originate the disconnect packet when client exhausts their allocated bandwidth.

SETTING UP PACKET OF DISCONNECT (POD)
- Modify the   
/etc/freeradius/3.0/sites-enabled/default

1. MODIFY THE ACCOUNTING SECTION BY ADDING THE FOLLOWING CONTENTS

accounting {
        #  Update accounting packet by adding the CUI attribute
        #  recorded from the corresponding Access-Accept
        #  use it only if your NAS boxes do not support CUI themselves
#       cui
        #
        #  Create a 'detail'ed log of the packets.
        #  Note that accounting requests which are proxied
        #  are also logged in the detail file.
        detail

        #  Update the wtmp file
        #
        #  If you don't use "radlast", you can delete this line.
        unix

        #
        #  For Simultaneous-Use tracking.
        #
        #  Due to packet losses in the network, the data here
        #  may be incorrect.  There is little we can do about it.
        radutmp
#       sradutmp

        #  Return an address to the IP Pool when we see a stop record.
#       main_pool

        #

        #
        #  If you receive stop packets with zero session length,
        #  they will NOT be logged in the database.  The SQL module
        #  will print a message (only in debugging mode), and will
        #  return "noop".
        #
        #  You can ignore these packets by uncommenting the following
        #  three lines.  Otherwise, the server will not respond to the
        #  accounting request, and the NAS will retransmit.
        #
#       if (noop) {
#               ok
#       }

        #  Cisco VoIP specific bulk accounting
#       pgsql-voip

        # For Exec-Program and Exec-Program-Wait
        exec

        #  Filter attributes from the accounting response.
        attr_filter.accounting_response

        #
#
        #  See "Autz-Type Status-Server" for how this works.
        #
#       Acct-Type Status-Server {
#
#       }
#
< 
# Log traffic to an SQL database.
#       Must enable sql
	sql
#       Disconnects a user once they've exhausted their bandwidth 
#
        if ( "%{sql: SELECT ((SUM(AcctInputOctets)+SUM(AcctOutputOctets))) FROM 
        radacct WHERE UserName='%{User-Name}'}" >= "%{sql: SELECT value from 
        radcheck where username='%{User-Name}' and 
        attribute='ChilliSpot-Max-Total-Octets'}" ) {
     update disconnect {
            User-Name = "%{User-Name}"
            Calling-Station-Id = "%{Calling-Station-Id}"
     }
}


}


############## IMPORTANT ###########################
> DECOMPILED SQL QUERY:
QUERY 1:= SELECT (SUM(ACCTINPUTOCTETS) + SUM(ACCTINPUTOCTETS))) FROM RADACCT
WHERE USERNAME = ‘CLIENT_USERNAME’

QUERY 2:= SELECT VALUE FROM RADCHECK WHERE USERNAME=’CLIENT_USERNAME’ 
AND ATTRIBUTE=’ChilliSpot-Max-Total-Octets’

if (query1 >=  query2)
{
 disconnect(client_device);
}

############## IMPORTANT ###########################
Initiating disconnect packet from radius
 echo User-Name=admin | radclient -x 127.0.0.1:3799 40 radpass
Tags
Share This
By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)