Menu

Per-device data caps not applied as expected

Help
Jannie Hanekom
2014-12-24
2015-01-23

  • Jannie Hanekom

    Jannie Hanekom - 2014-12-24

    Hi

    I suspect I might have encountered a bug while testing click-to-connect. Being new to RADIUSdesk, it's possibly just me fumbling config, but any feedback would help my understanding of the product.

    Scenario:
    - I'm using the v2-0 VM image for both FreeRADIUS and CoovaChilli. I've not done any updates.
    - I have created a click-to-connect user with an attribute of Rd-Auto-Mac := 1
    - I have created a 100MB per day profile with attributes:
    - Check: Rd-Cap-Type-Data := hard
    - Check: Rd-Total-Data := 113595733
    - Check: Rd-Reset-Type-Data := daily
    - Check: Rd-Mac-Counter-Data := 1
    - Reply: Fall-Through := Yes

    Symptoms: Users were able to connect successfully using CoovaChilli. When testing a device using the RADIUSdesk UI, a "Maximum usage exceeded" message was reported after the user (not individual devices) had exceeded the 100MB limit, but I'm led to believe this is expected. Users were still able to use the service and create new sessions (i.e. new devices and logoff/logon of old devices still worked.)

    However, every session would be limited to 100MB per device, after which the device was kicked off (by CoovaChilli), but that same device could then log on again for another 100MB session, providing unlimited use.

    Reviewing debug logs showed that during authentication attempts, Rd-Used-Data and Rd-Tmp-Used-Data never moved from 0. Rd-Avail-Data and Rd-Tmp-Avail-Data never dropped from the total of 100MB. Examining radacct shows that entries are being logged for the device, but they didn't seem to be taken into account.

    I suspect I found the problem in /usr/local/etc/raddb/policy.conf. When calculating usage, it seems to query radacct for a username of the MAC address of the device (calling station id), when all accounting is inserted with the username of the owner of the device and the calling station id is a separate field. This may be due to a mix-up with radcheck storing the calling station id as the username?

    Applying the following fixes the issue for for me (UI issue remains, but that's understandable), by measuring the data for the device rather than a non-existent user:

    Possible patch

    --- /usr/local/etc/raddb/policy.conf 2014-12-24 06:21:20.623786753 +0200
+++ /usr/local/etc/raddb/policy.conf 2014-12-24 06:24:54.314463234 +0200
@@ -85,7 +85,7 @@
                         update control {
  Rd-Used-Data := "%{sql:SELECT IFNULL(SUM(acctinputoctets - GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0))\
  + SUM(acctoutputoctets -GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)),0)\
- FROM radacct WHERE username='%{request:User-Name}' AND callingstationid='%{request:Calling-Station-Id}' \
+ FROM radacct WHERE username='%{control:Rd-Mac-Tmp-Username}' AND callingstationid='%{request:Calling-Station-Id}' \
  AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%{control:Rd-Start-Time}'}"
                         }
                     }
@@ -110,7 +110,7 @@
                 else{
                     if((control:Rd-Mac-Counter-Data)&&(request:Calling-Station-Id)){
                         update control {
- Rd-Used-Data := "%{sql:SELECT IFNULL(SUM(acctinputoctets)+SUM(acctoutputoctets),0) FROM radacct WHERE username='%{request:User-Name}' \
+ Rd-Used-Data := "%{sql:SELECT IFNULL(SUM(acctinputoctets)+SUM(acctoutputoctets),0) FROM radacct WHERE username='%{control:Rd-Mac-Tmp-Username}' \
  AND callingstationid='%{request:Calling-Station-Id}'}"
                         }
                     }

    Finally, I'm also somewhat confused by the idea of subtracting seconds from bytes in the query above, which would theoretically subtract two bytes for every second before midnight that the user's latest session started.

    Debug log before fix, showing Rd-Used-Data of 0: (note entries in bold)

    Wed Dec 24 06:15:31 2014 : Info: ?? Evaluating (control:Rd-Mac-Counter-Data) -> TRUE
    Wed Dec 24 06:15:31 2014 : Info: ++++++++++++? if ((control:Rd-Mac-Counter-Data)&&(request:Calling-Station-Id)) -> TRUE
    Wed Dec 24 06:15:31 2014 : Info: ++++++++++++if ((control:Rd-Mac-Counter-Data)&&(request:Calling-Station-Id)) {
    Wed Dec 24 06:15:31 2014 : Info: expand: SELECT IFNULL(SUM(acctinputoctets - GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)) + SUM(acctoutputoctets -GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)),0) FROM radacct WHERE username='%{request:User-Name}' AND callingstationid='%{request:Calling-Station-Id}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%{control:Rd-Start-Time}'
    -> SELECT IFNULL(SUM(acctinputoctets - GREATEST((1419372000 - UNIX_TIMESTAMP(acctstarttime)), 0)) + SUM(acctoutputoctets -GREATEST((1419372000 - UNIX_TIMESTAMP(acctstarttime)), 0)),0) FROM radacct WHERE username='00-50-56-bd-50-22' AND callingstationid='00-50-56-bd-50-22' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1419372000'
    Wed Dec 24 06:15:31 2014 : Info: expand: %{sql:SELECT IFNULL(SUM(acctinputoctets - GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)) + SUM(acctoutputoctets -GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)),0) FROM radacct WHERE username='%{request:User-Name}' AND callingstationid='%{request:Calling-Station-Id}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%{control:Rd-Start-Time}'}
    ** -> 0
    Wed Dec 24 06:15:31 2014 : Info: ++++++++++++} # if ((control:Rd-Mac-Counter-Data)&&(request:Calling-Station-Id)) = noop
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Rd-Tmp-Avail-Data does not exist. Set it equal to 113595733
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair     Rd-Used-Data = 0**
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Start-Time = 1419372000
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Account-Disabled = 0
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Reset-Type-Data = daily
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Avail-Data = 113595733
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Mac-Tmp-Username = click_to_connect@localhost
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-User-Type = device
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Total-Data = 113595733
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Mac-Counter-Data = 1
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Realm = Guests
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Tmp-Avail-Data = 113595733
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Device-Owner = click_to_connect@localhost
    Wed Dec 24 06:15:31 2014 : Debug: rlm_perl: Added pair Rd-Cap-Type-Data = hard

    Debug log after fix, showing positive Rd-Used-Data: (note entries in bold)

    Wed Dec 24 06:26:32 2014 : Info: ?? Evaluating (control:Rd-Mac-Counter-Data) -> TRUE
    Wed Dec 24 06:26:32 2014 : Info: ++++++++++++? if ((control:Rd-Mac-Counter-Data)&&(request:Calling-Station-Id)) -> TRUE
    Wed Dec 24 06:26:32 2014 : Info: ++++++++++++if ((control:Rd-Mac-Counter-Data)&&(request:Calling-Station-Id)) {
    Wed Dec 24 06:26:32 2014 : Info: expand: SELECT IFNULL(SUM(acctinputoctets - GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)) + SUM(acctoutputoctets -GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)),0) FROM radacct WHERE username='%{control:Rd-Mac-Tmp-Username}' AND callingstationid='%{request:Calling-Station-Id}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%{control:Rd-Start-Time}'
    -> SELECT IFNULL(SUM(acctinputoctets - GREATEST((1419372000 - UNIX_TIMESTAMP(acctstarttime)), 0)) + SUM(acctoutputoctets -GREATEST((1419372000 - UNIX_TIMESTAMP(acctstarttime)), 0)),0) FROM radacct WHERE username='click_to_connect@localhost' AND callingstationid='00-50-56-bd-50-22' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1419372000'
    Wed Dec 24 06:26:32 2014 : Info: expand: %{sql:SELECT IFNULL(SUM(acctinputoctets - GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)) + SUM(acctoutputoctets -GREATEST((%{control:Rd-Start-Time} - UNIX_TIMESTAMP(acctstarttime)), 0)),0) FROM radacct WHERE username='%{control:Rd-Mac-Tmp-Username}' AND callingstationid='%{request:Calling-Station-Id}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%{control:Rd-Start-Time}'}
    ** -> 12054573
    Wed Dec 24 06:26:32 2014 : Info: ++++++++++++} # if ((control:Rd-Mac-Counter-Data)&&(request:Calling-Station-Id)) = noop
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Rd-Tmp-Avail-Data does not exist. Set it equal to 101541160
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair     Rd-Used-Data = 12054573**
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Mac-Counter-Data = 1
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Tmp-Avail-Data = 101541160
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Mac-Tmp-Username = click_to_connect@localhost
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-User-Type = device
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Realm = Guests
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Device-Owner = click_to_connect@localhost
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Cap-Type-Data = hard
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Start-Time = 1419372000
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Account-Disabled = 0
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Total-Data = 113595733
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Avail-Data = 101541160
    Wed Dec 24 06:26:32 2014 : Debug: rlm_perl: Added pair Rd-Reset-Type-Data = daily

     

  • Dirk van der Walt

    Dirk van der Walt - 2015-01-02

    Hi Jannie,

    Thanks for reporting the issue and supplying a fix to it.

    I see you use Version 2-0 of the VM without any updates.
    The plan is to release a 2015 version of the VM soon and I will then try to ensure that if there are still a problem with the session not keeping score.

    Its been a while since I've completed that part and I see from my own documentation that the reset type is specified as dynamic.

    http://www.radiusdesk.com/technical_discussions/principle_profile#counters_that_limit_per_device

    Can you see what the result is if the change it to dynamic and specify an reset interval of 86400 (24hours) how that works.

    The Rd-Auto-Mac := 1 is used as a flag to automatic add the MAC from where the user connects as a device belonging to that user. Thus with MAC authentication enabled on a NAS the person should only be presented with a login page once when connecting from a device / computer. Thereafter the MAC will be added and on subsequent connections the NAS will send the MAC through and FreeRADIUS will authenticate the user.

    I'll recheck the code and see how we can actually use the Rd-Mac-Counter-Data along with the other counters (reset types other than dynamic) if they are not already supported.

    Hope I didn't ramble to much.

    Regards

     

  • Jannie Hanekom

    Jannie Hanekom - 2015-01-23

    Hi Dirk

    As the issue is not about data not resetting daily and rather with how data utilisation is determined if it's a device, I doubt the above would make a difference. In using "daily", I followed the other quite comprehensive bit documentation you wrote on adding a click-to-connect user, so I'm quite sure it's "safe": http://www.radiusdesk.com/technical_discussions/practical_new_access_provider

    I've been using the solution with the fix above in place for about a month now, and it's been working a charm - both RADIUSdesk and the fix. I've also done minimal testing on vouchers and permanent users, and they don't seem to have been broken by the above.

    I'm popular around the office at the moment for finally getting practical, usable, low-admin BYOD access to work using RADIUSdesk.

     

  • Sheldon Magro

    Sheldon Magro - 2017-04-04

    Hi Dirk\Jannie

    Firstly I am new to RadiusDesk, only been working on it for some weeks now.

    I wanted to find out if Jannies Hanekom fix will still apply to the latest version of RadiusDesk?

    The reason I am asking is because it seems that I am currently having the same issue. Users are able to connect, they are then able to browse and use the cap that is provided. Once the cap is reached, the user is discounted. However this is where my problem comes in, once the user is disconnected and tries to re-logon they are meant to be provided with an error message "Maximum daily usage exceeded" however they are not and they receive another 100MB of data to browse again.

    My setup for the 100mb is as follow:

    Rd-Cap-Type-Data = hard
    Rd-Total-Data = 10000000
    Rd-Reset-Type-Data = never
    Fall- Through = Yes

    Then the setup for the day cap:

    Rd-Cap-Type-Time = Hard
    Rd-Reset-Type-Time = Never
    Rd-Total-Time = 86400
    Fall-Through = Yes

    Please can you advise if I am doing something incorrectly or how I will be able to resolve this issue as I am a little out of ideas?

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.