(RADIATOR) WISPr-Bandiwidth control using Active Directory authentification.

Hugh Irvine hugh at open.com.au
Sat Dec 20 18:27:24 CST 2003


Hello Mario -

The usual way to do this is with cascaded AuthBy clauses and DEFAULT's.

Something like this:

# define AuthBy clauses

<AuthBy ADSI>
	Identifier CheckADSI
	.....
</AuthBy>

<AuthBy FILE>
	Identifier CheckUsers
	Filename %D/users
	# AddToReply for common reply attributes
	AddToReply ......
</AuthBy>

.....

# define Realms or Handlers

<Handler ...>
	AuthBy CheckUsers
	.....
</Handler>



The "users" file would contain something like this:

# define DEFAULT users for the different Groups

DEFAULT  Auth-Type = CheckADSI, Group = Access-512-512
	Bandwidth-Max-Up = .....,
	Bandwidth-Mas-Down = .....,
	.....

DEFAULT  Auth-Type = CheckADSI, Group = Access-256-256
	Bandwidth-Max-Up = .....,
	Bandwidth-Max-Down = .....,
	......

DEFAULT ......


......



Hope that helps.


For the simultaneous use problem, you will need to look at the trace 4 
debug from Radiator to see what attributes are present in the access 
requests that you can use to control the sessions.


regards

Hugh


On 21/12/2003, at 3:54 AM, Mario Lopez wrote:

> Hi,
>
> I will expose mi problem.
>
> I am using Active Directory authentification which works ok, my 
> problem is
> that I have several kinds of users that depending on what they pay 
> they get
> a bandwidth limit, I can do bandwidth control in a per-user basis 
> using the
> WISPr VSA's included in dictionary file (Bandwidth-Max-Up,
> Bandwidth-Max-Down), the problem is that I need to send this 
> attributes when
> user belongs to a specific Windows Group.
>
> For example, if I had user Mario wich belongs to Windows Group
> "Access 512-512", I would need to send the corresponding VSA attribute 
> to
> limit the bandwidth.
>
> I know how to send the VSA's with "AddToReply", I can even send them 
> with
> AuthAttrDef reading the attributes from Active Directory.
>
> What I would like to do is send the reply VSA IF the user belongs to 
> Windows
> Group = X.
>
> Could I use the CheckGroup statement?
>
> Is it possible to set CheckGroup 
> Access512-512,WISPr-Bandwidth-Max-Down=512
> and then send the WISPr-Bandwidth-Max-Down attribute?.
>
> Another problem I am having is that Radiator does not know how to 
> identify
> concurrent conections from my NAS, because is treats them all as being 
> from
> the same user.
>
> Thanks!
>
> Mario.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list