[RADIATOR] Bandwidth switch COA advice

Michael ringo at vianet.ca
Wed Mar 27 15:26:47 CDT 2013


This is not really a cut-and-paste sort of configuration.  different 
cisco devices can have different config.  Sometimes this is all done on 
1 line, but generally this is what it looks like:


aaa server radius dynamic-author
  client 1.1.1.1
  client 1.1.1.2
  client 1.1.1.3
  client 1.1.1.4
  server-key 7 12464C5F030316
  auth-type any
!

The clients being the ip address from where you need to accept 
connections ie. from radpwtst.

Also keep in mind, this enables the POD server on the nas, but it 
doesn't necessarily listen on the ip address that you use for radius or 
to connect to the device.  I work on devices that have many ips and the 
POD service seems to only sit on some, possible just one of the nas's ips.




On 27/03/13 03:13 PM, Thomas Kurian wrote:
> Hello Michael,
> Many thanks for your email. I am just handling the radiator side of 
> our company project . ISG (NAS) is handled by my colleague. so Can you 
> please give me the necessary steps that i should ask him to do on the NAS?
> Additionally can you also please elaborate the steps or provide me 
> with an example on what is  to done on the radiator in a sequence. I 
> positively believe that your  previous experience with this subject  
> ,can certainly help me out.
>
> Requesting your kind help&  cooperation,
>
> Thomas Kurian
> IT Security Engineer (B.Tech. -- Electrical)
> Kuwaiti Canadian Consulting Group (www.kccg.com)
> T: +965 22435566
> F: +965 22415149
> E:thomas at kccg.com
> On 3/27/2013 8:18 PM, Michael wrote:
>>
>> I do this, but it's done by sending the "cisco-avpair" attribute to 
>> the nas, with a value such as: "ip:sub-qos-policy-out=RATE10M".  
>> "RATE10M" is a rate policy that MUST be already setup in the NAS.  
>> And of course you usually have 2 of these values.  1 being 
>> ip:sub-qos-policy-in= and the other ip:sub-qos-policy-out= to cover 
>> both the upload and the download.
>>
>> On a wider view of the process i myself use, i inject the request 
>> using radpwtst into NOT the nas, but into the radiator system which 
>> is configured to proxy the request itself to the nas, and then you 
>> have the ability to log that action.  The nas needs to be setup with 
>> the POD server to accept these requests.
>>
>>
>> Michael
>>
>>
>> On 27/03/13 05:16 AM, Thomas Kurian wrote:
>>> Hello Friends,
>>> I want to do a COA ,to switch the bandwidth profile of the users 
>>> after they exceed maximum their allocated quota. Which are the 
>>> attributes  to be  included in the COA script to achieve this( (with 
>>> respect to the following  Accounting request capture from the 
>>> NAS[cisco ISG]) , is it cisco-Policy-Up/Down or some other?
>>> what additional script lines might be required to achieve this 
>>> bandwidth switch COA?
>>> Is there some configuration to be changed on the NAS end?
>>>
>>> To make myself clear ,my requirement is for example,  to switch the 
>>> bandwidth of this user from 8Mbps to 1Mbps after this user exceeds 
>>> allocated quota ( quota check is to done by comparing 2 values like 
>>> this, if monthlycounter>=maxquota  ,perform the COA bandwidth 
>>> switching). Note:[totalcounter and maxquota are column names in my 
>>> odbc database named quotasubscribers].
>>>
>>> _Hook_
>>> sub { \
>>>           my $p = ${$_[0]}; \
>>>           return unless $p->code eq 'Accounting-Request'; \
>>>           main::log($main::LOG_DEBUG, 'Handling Accounting-Request'); \
>>>           my $user_name = $p->get_attr('User-Name'); \
>>>           my $sess_id = $p->get_attr('Acct-Session-Id'); \
>>>           my $framed_ipaddress = $p->get_attr('Framed-IP-Address'); \
>>>           my @coa_attrs = ("User-Name=$user_name", 
>>> "Acct-Session-Id=$sess_id", "Framed-IP-Address=$framed_ipaddress");\
>>>           my @cmd_args = ("-noacct", "-noauth", "-time","-code", 
>>> "Change-Filter-Request"); \
>>>              push @cmd_args, ("-trace", "4", "-bind_address", 
>>> "0.0.0.0", "-auth_port", "3799", "-secret", "xxxxxxx", "-s", 
>>> "x.x.x.x"); \
>>>           my @cmd = ("perl", "radpwtst"); \
>>>           main::log($main::LOG_DEBUG, "Running command: @cmd 
>>> @cmd_args @coa_attrs"); \
>>>           system (@cmd, @cmd_args, @coa_attrs); \
>>>         }
>>> _Accounting request sent from ISG_
>>> Wed Mar 27 10:19:32 2013: DEBUG: Packet dump:
>>> *** Received from 10.50.1.4 port 1646 ....
>>> Code:       Accounting-Request
>>> Identifier: 165
>>> Authentic:  .<25>5]<191><175>+<218>#<237><182><22><220><229>|<214>
>>> Attributes:
>>>         Acct-Session-Id = "002D98E3"
>>>         cisco-Policy-Up = "8Mbps"
>>>         cisco-Policy-Down = "8Mbps"
>>>         Framed-Protocol = PPP
>>>         Framed-IP-Address = 94.187.159.88
>>>         User-Name = "99759991"
>>>         cisco-avpair = "connect-progress=LAN Ses Up"
>>>         cisco-avpair = "nas-tx-speed=1000000000"
>>>         cisco-avpair = "nas-rx-speed=1000000000"
>>>         Acct-Session-Time = 40503
>>>         Acct-Input-Octets = 81218503
>>>         Acct-Output-Octets = 2504979160
>>>         Acct-Input-Packets = 1032810
>>>         Acct-Output-Packets = 1829162
>>>         Acct-Authentic = RADIUS
>>>         Acct-Status-Type = Alive
>>>         NAS-Port-Type = Virtual
>>>         NAS-Port = 0
>>>         NAS-Port-Id = "0/0/0/666"
>>>         cisco-avpair = "client-mac-address=7073.cbb3.66c8"
>>>         Class = 
>>> "<153>3<1><8>99759991<21><4><4>$<221><0>3<4><3><0><0><0>                                                                                               3<4><12><0><0><0>3<4><6><0><0><0>1<16>c1dfaedfabcffee7"
>>>         Service-Type = Framed-User
>>>         NAS-IP-Address = 10.50.1.4
>>>         Event-Timestamp = 1364368772
>>>         NAS-Identifier = "DC-ISG2-Flash.wimd.kw"
>>>         Acct-Delay-Time = 0
>>> -- 
>>> Requesting your kind help and advice,
>>>
>>> Thomas Kurian
>>> IT Security Engineer (B.Tech. -- Electrical)
>>> Kuwaiti Canadian Consulting Group (www.kccg.com)
>>> T: +965 22435566
>>> F: +965 22415149
>>> E:thomas at kccg.com
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130327/bf23eebe/attachment-0001.html 


More information about the radiator mailing list