[RADIATOR] Change of Authorization

Hugh Irvine hugh at open.com.au
Mon Oct 15 21:22:48 CDT 2012 

Hello Rohan -

Depending on your exact requirements, here are the various elements you'll need.

1. an SQL database for your customer records and accounting records

2. each customer record must have accounting totals updated in real time by RADIUS interim accounting requests as well as session accounting

3. when authenticating a customer (user) you need to check the current totals in the customer record and return the appropriate RADIUS reply items (ie. time remaining and/or quota limits and/or bandwidth limits)

4. a cron job to scan the customer records periodically and if a change is required to a current customer session, run a script that calls the "radpwtst" utility with whatever COA attribute-value pairs are necessary

5. an end-of-billing period cron job to reset the totals in the customer records when the new period begins

Note that Radiator itself in this scenario is only required to process the RADIUS authentication requests and accounting requests, everything else is done directly on the database with scripts.

hope that helps

regards

Hugh

ps - please give my best regards to Elon Richards and his colleagues at CW Barbados


On 16 Oct 2012, at 06:03, rohan.henry at cwjamaica.com wrote:

> Michael.
> 
> Thanks much for the start. I am going to do some further reading to see what i can come up with. I must also confirm COA support on our Juniper E320 NAS devices.
> 
> Rohan
> 
> 
> On Mon, 15 Oct 2012 13:34:38 -0400
> Michael <ringo at vianet.ca> wrote:
>> 
>> This was the hardest thing to get working and automated for me personally.  I don't know if there is an easy way of doing it.  I didn't find one.  I accomplished it with a complicated process.  It could be as simple as a script to execute "./radpwtst -s IP -code Change-Filter-Request etc....."
>> 
>> 
>> My complicated process goes something like the following, but I would suggest making sure the above simple method works for you as I do have a couple nas's where CoA just doesn't work with the IOS that it has.
>> 
>> - a script process that injects Change-Filter-Request packets into the radiator service, using radpwtst:
>> push( @change_args, (
>>        '-s', 'local radiator ip',
>>        '-code', 'Change-Filter-Request',
>>        "Timestamp=$timestamp",
>>        "NAS-IP-Address=$nas_ip",
>>        "NAS-Port=$nas_port",
>>        "Acct-Session-Id=$sess_id",
>>        "Framed-IP-Address=$ip",
>>        "Class=$class",
>>        "cisco-Policy-Up=$rate_up",
>>        "cisco-Policy-Down=$rate_down"
>>        )
>> 
>> - a Handler with custom Hook configured to read the cisco-Policy rate values from the injected packet, and look up the proper policy command from a radiator global variable depending on the nas-ip-address since I have multiple nas's that require different commands.
>> eg. global variable:
>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-up    ip:sub-qos-policy-in=RATE100M
>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-down ip:sub-qos-policy-out=RATE100M
>> 
>> - add 2 "cisco-avpair" attributes to the packet with the up rate and down rate commands.  These are the actual commands the NAS needs to change the rate limit.  The policy must already be setup on your nas.
>> ie:
>> cisco-avpair="ip:sub-qos-policy-in=RATE100M"
>> cisco-avpair="ip:sub-qos-policy-out=RATE100M"
>> 
>> - then a custom authby that required patching to determine what nas to forward the packet to, since i have multiple nas's. Also another authby that logs this request which is not required but i wanted to log it.
>> 
>> 
>> There's much more to it, but I don't want to get too deep here.  it all pretty much revolves around building the Change-Filter-Request packet with "./radpwtst -code Change-Filter-Request" and ether send that to the nas, or inject it into radiator so you can do other things with it.
>> 
>> 
>> Michael
>> 
>> 
>> On 15/10/12 12:47 PM, rohan.henry at cwjamaica.com wrote:
>>> Hello all,
>>> 
>>> I do not see any info on the captioned in the Radiator documentation. Where do I go to see details on implementing COA?
>>> 
>>> Thanks.
>>> 
>>> Rohan
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> 
> 
> Rohan Henry
> Server Administrator
> LIME
> Phone (876) 936-4819
> Mobile (876) 997-0729
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list