Radius and total transfer parameter?

randomseed · January 21, 2009, 4:49pm

Hi all,

I was looking for a way to pass the total bytes transferred to the radius server and I found this forum entry http://forum.mikrotik.com/t/mikrotik-alepo/24863/1 . Is this true? I haven’t been bale to get it to work. I need a parameter such as the one in the above post or something like “Mikrotik-Total-Limit”. Can anyone confirm that this functionality is supported?

Any help would be much appreciated.

Regards,
Tim

savage · January 21, 2009, 9:20pm

There is no out of the box solution for this. I program in perl, and as such I used the rlm_perl module with FreeRadius where I can do custom tasks with either accounting or authentication requests.

What I basically did was update the bytes transferred (RX and TX) in a database, if the value of the amount of bytes available becomes below zero, I send a radius disconnect message to the NAS device… A snipette of the code is below, but you really need to know what you are doing here… This isn’t straight forward stuff…

      # Update the Bytes Available to the account
      $SQL = $GlobalDB->query("SELECT BytesSession, BytesAvail FROM RadiusUsers WHERE Username = TRIM(LOWER(" . $GlobalDB->quote($RAD_REQUEST{'User-Name'}) . ")) LIMIT 1");
      if (!$SQL) { syslog('info', 'Radius: MySQL Error: ' . Mysql->errmsg()); }
      while (my ($BytesSession, $BytesAvail) = $SQL->fetchrow_array) {
        if ($RAD_REQUEST{'Acct-Input-Octets'} + $RAD_REQUEST{'Acct-Output-Octets'} != $BytesSession) {
          $GlobalDB->query("UPDATE RadiusUsers SET BytesAvail = BytesAvail - " . (($RAD_REQUEST{'Acct-Input-Octets'} + $RAD_REQUEST{'Acct-Output-Octets'}) - $BytesSession) . ", BytesSession = " . $RAD_REQUEST{'Acct-Input-Octets'} . " + " . $RAD_REQUEST{'Acct-Output-Octets'} . " WHERE Username = TRIM(LOWER(" . $GlobalDB->quote($RAD_REQUEST{'User-Name'}) . "))") or syslog('info', 'Radius: MySQL Error: ' . Mysql->errmsg());
          $BytesAvail = $BytesAvail - ($RAD_REQUEST{'Acct-Input-Octets'} + $RAD_REQUEST{'Acct-Output-Octets'});
        }

        # If we have less than 500 bytes available, disconnect the user (only on our Wireless ACS).
        if ($BytesAvail < 500 && $RAD_REQUEST{'Class'} && $RAD_REQUEST{'Class'} eq "0x574c414e") {
          $SQL = $GlobalDB->query("SELECT NASIP, NASUser, NASPass FROM RadiusNASList WHERE NASIP = " . $GlobalDB->quote($RAD_REQUEST{'NAS-IP-Address'}) . " AND isActive = 'y' LIMIT 1");
          if (!$SQL) { syslog('info', 'Radius: MySQL Error: ' . Mysql->errmsg()); }
          while (my ($NASIP, $NASUser, $NASPass) = $SQL->fetchrow_array) {
            syslog('info', 'Radius: Forcefully disconnected user: ' . $RAD_REQUEST{'User-Name'} . ', Traffic Quota Exceeded.');
            ## Send Radius Disconnect message to NAS
          }
          return RLM_MODULE_NOOP;
        }
      }
      return RLM_MODULE_OK;
    }

randomseed · January 22, 2009, 10:36am

Hi Chris,

Thanks for taking the time to answer my question.

Mikrotik has the built-in feature of accepting a disconnect signal from the radius server. This is sent when the radius server see’s that the Mikrotik-Xmit-Limit-Gigawords has been reached. It works perfectly with the parameters located here http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_radius.php

I was actually referring to this post. http://forum.mikrotik.com/t/ha-ha-found-your-hidden-radius-attributes/24823/1 which say’s that there is another parameter “MT-Total-Limit-Gigawords”. If this is supported parameter then I can proceed with testing otherwise it doesn’t seem to work. The user manager has a total limit field now which leads me to believe this is in fact true.

Otherwise I’ll have to resort to your method of total calculation. This could also be done in php and activated using cron…

Regards,
Tim

savage · January 22, 2009, 10:59am

I highly doubt there is a total-limit. If you look at the post, you will see that there are others that also tried it by adding the items to the dictionary, and was unsuccessful. Why don’t you add it to the dictionary and see for yourself?

I’ve been working with MT and Radius for a very very long time, and I have never seen a Total-Limit on a MT device (frankly, any device). Also, does the total-limit work only on hotspots, ppp, async, etc?? The post is very vague to say the least.

Frankly, from ALL the NAS devices supported by FreeRadius:

[root@netsonic /usr/local/share/freeradius]# cat dictionary*|grep -i total
ATTRIBUTE       SNA-RPRRQ-Rcvd-Total                    1019    integer
ATTRIBUTE       SNA-RPRAK-Rcvd-Total                    1027    integer
ATTRIBUTE       SNA-RP-Reg-Reply-Sent-Total             1031    integer
[root@netsonic /usr/local/share/freeradius]#

Not one device matches any attribute close to total-limit. Looking at a list of ALL Attributes which FreeRadius understands as per the various RFCs (http://freeradius.org/rfc/attributes.html), again, no mention of any device supporting anything resembling a total limit.

dbai · March 15, 2009, 11:29pm

Yes, this one is supported, but not documented yet. It’s mikrotik’s vendor attributes 17+18. So just add to dictionary.mikrotik these lines (and add some spaces between keywords):

ATTRIBUTE Mikrotik-Total-Limit 17 integer
ATTRIBUTE Mikrotik-Total-Limit-Gigawords 18 integer

Don’t forget restart radius daemon and you can use Mikrotik-Total-Limit as you need.

-dbai-

phurius · March 17, 2009, 11:28am

Are there any other attributes ( > 15 ) that I’m missing.
Can’t see to find a latest list anywhere.

thanks!

dbai · March 17, 2009, 5:47pm

Attributes for total limit I got when I analyzed packets from communication between RB-AP and another RB with User Manager

I know another one attribute:

ATTRIBUTE Mikrotik-Wireless-PSK 16 string

This is useful for individual pre-shared key for WPA/WPA2 authentication and encryption. Every user (rather every MAC address) of AP can have his own key for access. Great thing!

randomseed · March 18, 2009, 2:47pm

Thanks for the reply dbai. Strange, added this to the dictionary file, restarted the radius but still no joy. The Mikrotik-Recv-Limit and Mikrotik-Xmit-Limit attributes work but not the ones listed above. The radius server also acknowledges that they are valid… Have you gotten it to work? It seems so illogical that this was never a standard for radius…

Tim

phurius · March 5, 2010, 10:43am

Hi

Could someone please give more information on the Mikrotik-Total-Limit RADIUS attribute.
I have used it in the past and it works and them sometimes not.
Is this parameter official or is it only added temporarily.
In other words, will it stay there on firmware upgrades etc. ?

Thanks

phurius · March 11, 2010, 3:41pm

It seems like the Mikrotik-Total-Limit attribute has disappeared with newer firmware.
I’m running everything on version 4.2. It worked fine on 3.x versions.

Sent from the RADIUS server:
Mikrotik-Total-Limit := 4972819

In the log on the Routerboard:
Mar/11/2010 13:19:26 radius,debug,packet Unknown-Attribute(type=17) = 0x004be113

Was this purposely left out or is it a bug?
Where can I get more information regarding this?

Thanks

shivachitta · June 4, 2010, 4:48am

Hi phurius,

i’m also struggling with the same problem ..!!
Have u got any solution regarding “Mikrotik-Total-Limit” or “Mikrotik-Total-Limit-Gigawords”… ?

Thank you in advance..
please help me… ?
Littile more urgent…?

Note : please find my issue clearly in the following link…
http://forum.mikrotik.com/t/help-regarding-mikrotik-total-limit/38055/1

phurius · June 4, 2010, 5:34am

Hallo

I’ve had some response from Mikrotik support regarding this.

Here are some excerpts:

Correct attirbute is MIKROTIK_TOTAL_LIMIT_GIGAWORDS 14988 18
It should be MikroTik_Total_Limit (I’m sorry for the upper case in previous e-mail).

I couldn’t these to work though. I ended up creating some script that fires when I receive acct interim packets and the disconnect users on port 1700. This is of course not optimal and not fool proof either.

I’m going to start investigating this again - I’ll let you know if I come up with something.
Please do the same for me !

Cheers

sergejs · June 4, 2010, 6:52am

Please, try the latest version MikroTik RouterOS 4.10, provide us with RADIUS debug log from MikroTik router, when attribute is not applying.

Note, that correct RADIUS dictionary should be used on RADIUS too,

MIKROTIK_TOTAL_LIMIT 14988 17
MIKROTIK_TOTAL_LIMIT_GIGAWORDS 14988 18

shivachitta · June 4, 2010, 9:13am

hi sergejs,

We got failed with “MIKROTIK_TOTAL_LIMIT” when we tried with 4.2 version, may be that Attributes were not applied in MikroTik RouterOS 4.2

( I provided RADIUS debug log from MikroTik router in the following link as picture format
http://forum.mikrotik.com/t/help-regarding-mikrotik-total-limit/38055/1

please find the details where explained my problem clearly )
)

As i noticed the following attributes are works fine from mik 3.x + versions onwards…

MIKROTIK_TOTAL_LIMIT 14988 17
MIKROTIK_TOTAL_LIMIT_GIGAWORDS 14988 18

Is that correct or not ?
If not what all the versions are really supporting the above attributes.

please guide us to move ahead …?

sergejs · June 4, 2010, 9:16am

What about MikroTik RouterOS v4.10?

shivachitta · June 4, 2010, 9:43am

Actually we have 4.2..
we will check in 4.10 version and get back to u..

But,
Is there any problem with 4.2… why it is not working… ?
from which version onwords will it works?

phurius · July 6, 2010, 9:57am

Hi

I have done some further testing using firmware version 4.10 on an RB411.

I have the following in my RADIUS dictionary file:

New Mikrotik attributes

ATTRIBUTE Mikrotik-Wireless-PSK 16 string
ATTRIBUTE MIKROTIK_TOTAL_LIMIT 17 integer
ATTRIBUTE MIKROTIK_TOTAL_LIMIT_GIGAWORDS 18 integer

And then I have in my radreply table:
+--------+-----------------------------+------------------------------+----+------------------+
| id | username | attribute | op | value |
+--------+-----------------------------+------------------------------+----+------------------+
| 269491 | 32U837Z65Y@digitalpro.co.za | Idle-Timeout | := | 300 |
| 269492 | 32U837Z65Y@digitalpro.co.za | MIKROTIK_TOTAL_LIMIT | := | 2097152 |
| 269493 | 32U837Z65Y@digitalpro.co.za | Session-Timeout | := | 337046255 |
| 269494 | 32U837Z65Y@digitalpro.co.za | WISPr-Session-Terminate-Time | := | 2021-03-11T11:38 |
+--------+-----------------------------+------------------------------+----+------------------+

And what I am getting in the logfile on the Mikrotik unit:
Jul/06/2010 11:53:48 radius,debug,packet received Access-Accept with id 19 from 41.222.52.219:1812
Jul/06/2010 11:53:48 radius,debug,packet Signature = 0x2b5accfb501cc673b653a774006d22db
Jul/06/2010 11:53:48 radius,debug,packet Idle-Timeout = 300
Jul/06/2010 11:53:48 radius,debug,packet Unknown-Attribute(type=17) = 0x001ca938
Jul/06/2010 11:53:48 radius,debug,packet Session-Timeout = 337045539
Jul/06/2010 11:53:48 radius,debug,packet WISPr-Session-Terminate-Time = "2021-03-11T11:38"

That's the same unknown attribute error.

I find it strange that you will have changed the attribute to capitals and underscores as all other RADIUS ones are not.
From my testing, this has now not been working from version 4.2->4.10.
I am not sure if I am maybe doing something wrong, although I can't think what.

Thanks
Barry

Chupaka · July 6, 2010, 11:29am

where is

VENDOR          Mikrotik                        14988

BEGIN-VENDOR    Mikrotik

?

shivachitta · July 6, 2010, 12:22pm

Check the following link…

http://forum.mikrotik.com/t/help-regarding-mikrotik-total-limit/38055/1