Creating Radius Profiles with Bandwidth Limits

FreeRadius allows predefining sets of rules and assigning them to current or future users. Using the Attribute-Value pair, we can customize the rules of the authentication, authorization, and accounting.

In this guide, we’re going to create from daloRadius a Profile containing radius attributes that limit the users to 1 simultaneous session, requests accounting updates every 10 minutes and refuses connection if for users with more than 12GB used in the past 30 days.

Profiles are a great way of creating categories of users that have different limits and restrictions.

Prerequisites

Before we start, make sure that you already have a server with Freeradius + daloRadius installed.  If you don’t, you can order a VPS with both installed and have it delivered in minutes.

Step 1 – Log in DaloRadius

Open a browser and go to your DaloRadius panel.

On our servers, you can find at http://server_IP_or_domain/radpanel. The login details are displayed the first time you log into your server via SSH. It should look like this:

Radius Panel:
http://server_IP_or_domain/radpanel
User: administrator
Pass: MTUzYzllMTljMjk5OWU5ZDYyMmViZTkw

Step 2 – Open the Profiles page

Navigate to the Profiles page and click on the New Profile option. We’re going to create a profile that allows only 1 connection, so I’ve named it “OneDevice”. You can name it whatever you want.

Step 3 – Limit simultaneous sessions

One of the most important features of FreeRadius is the attribute. We can use attributes to define what a user can or cannot do, create dynamic rules to decide if a user can be authenticated.

In our example, we’re going to set the maximum simultaneous sessions to 1 for the users assigned to our new profile.

Click on the Quickly Locate attribute with autocomplete checkbox and type Simultaneous-Use

The autocomplete will suggest the Simultaneous-Use attribute. Select it and click  Add Attribute.

Set the value to the maximum number of sessions. I’m going to set it to 1. Make sure that the operator is set to “:=” and the attribute target is “check”

Step 4 – Set accounting intervals

Repeat the instructions from step 3 in order to add another attribute.  This time, we’re going to add to the profile the “Acct-Interim-Interval“.

Unlike the Simultaneous attribute, this one’s target must be set to reply. It sets the interval for accounting updates. A value of 600 means that the client app will send to the radius server accounting updates about the user every 600 seconds.

Step 5 – Limit the monthly bandwidth

For the first two rules, we have used the default Freeradius attributes. In order to set a bandwidth monthly quota, we need to create a custom attribute. This process can be used to create any custom accounting condition, using sqlcounter.

Open an SSH session to your radius server and follow the steps below.

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/sqlcounter sqlcounter

Edit the sqlcounter. The settings below create a new custom attribute that checks the bandwidth for the last 30 days.

#define a new sqlcounter
sqlcounter monthly_limit{ 
 counter_name = 'Max-Total-Bandwidth'
 
#define an attribute name. we will add this in daloRadius Profile
 check_name = 'Monthly-Bandwidth'
 
 sql_module_instance = sql
 key = 'User-Name'
 dialect = mysql
 reset = 30
 
 query = "SELECT SUM(acctinputoctets) + SUM(acctoutputoctets) FROM 
          radacct WHERE UserName='%{${key}}'"
}

The sqlcounter is now defined! In the next step, we will add it to our Freeradius config file, under authorize.

vim /etc/freeradius/3.0/sites-available/default

authorize {
..
monthly_limit
..
}

service freeradius reload

The custom attribute is now ready to be added to our profile from Daloradius like we did the previous steps. In the example below, the limit is set around 12GB.

Step 6 – Create a user with the profile

When creating a new user, the profile can be selected from the Group dropdown. Now, all the attributes defined in the profile will apply to the user. Any changes done to the profile attributes will instantly apply to the member users of that group.

Troubleshooting sqlcounter

Adding a new attribute and editing the Freeradius config files might generate some errors if we’re not careful. Here are some of the more common ones:

Error: “Failed to create the pair: Unknown name”

Fix: Make sure you’ve added the newly created sqlcounter name in the default configuration file. 

Error: “Reference “${modules.sql.dialect}” not found”

Fix: This one is caused by a Freeradius bug. In order to make it go away, you must specify the dialect of the database in the sqlcouter, as we did in Step 5.

No error, but it doesn’t work

If there are no error messages but the custom sqlcounter attribute does not restrict user access, make sure that the attribute operator is set to “:=” and the target is set to “Reply”.

Please leave a comment on this post and notify us of the issues you experienced while following this tutorial and the solution if you managed to fix them. This will help other users that might also be facing the same problems as yourself.