[RADIATOR] Question about RateLimitSource - MaxRateResult
Heikki Vatiainen
hvn at open.com.au
Mon Feb 6 20:15:27 UTC 2023
On 3.2.2023 18.09, Garret Peirce via radiator wrote:
> I'm looking at this feature and I was curious if the MaxRateResult uses
> an OR between MaxRates 1 and 2 or an AND ? The goodies file seems to
> indicate it's an OR.
The two run one after another. Something like this:
Policer 1 measures its traffic
If number of requests within window > MaxRate1
return MaxRateResult
Then policer 2 measures its traffic
If number of requests within window > MaxRate2
return MaxRateResult
Therefore I'd say the answer is OR; if one or the other exceeds, then
MaxRateResult is returned.
> I desire to rate limit requests from a given Calling-Station to an
> individual Client to (ex.) 10 requests in 10 seconds.
I think with the config below no end user (Calling-Station-Id) can send
more than 10 req/s and if there are, for example, two end users
connected to the same NAS (<Client ...> Identifier), only 10 req/s are
allowed from the NAS and the end users together can't exceed the per NAS
limit.
Hopefully this clarifies the behaviour. Please let us know how it works.
> ex.
> <AuthBy RATELIMITSOURCE>
> Identifier auth-ratelimitsource
> # Policer1
> SourceKey1 %{Request:Calling-Station-Id}
> MaxRate1 10
> Policer1_Size 1
> TimeWindow1 10
> # Policer2
> SourceKey2 %{Client:Identifier}
> MaxRate2 10
> Policer2_Size 1
> TimeWindow2 10
> # Result to use when MaxRate1 or MaxRate2 is exceeded
> MaxRateResult REJECT
> </AuthBy>
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list