Solved: Freeradius rate-limit management per user or group for Cisco router

e066377@yahoo.com · ‎10-05-2018

Hi communit

The ISP company that i provide software has Cisco and Mikrotik routers.

Users can buy limitless packets with a certain upload/download rate or fair usage packets with a higher speed until their quota is over then lower speed for monthly period.

For AAA we use freeradius 3.x, and for Mikrotik just setting the Mikrotik-Rate-Limit as uolpadK(M)/downloadK(M) is sufficent, does Cisco has such AVPs for managing rate-limit per user or group?

Regards

balaji.bandi · ‎10-05-2018

"lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop";
There are 3 numbers, if one is for download rate and one for upload then what does the third mean?

This Committed Access Rate 1. bps 2. burst-normal 3. burst-max

Do we need to create different groups for defferent speeds?
Is just adding groıps with attribute Cisco-Avpair with value of above long string enough for Cisco router to get requested rate?

you can create Many groups if you like to, and put the user in that group, so he get based on the policies.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎10-05-2018

Depends on how you design, some of the scripts can manually can be created, as an ISP myself i did many scripts with Freeradius, its good to modify as per your requirement.

have you looked the below example :

http://lists.freeradius.org/pipermail/freeradius-users/2007-January/015493.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

e066377@yahoo.com · ‎10-05-2018

Thank balaji.

Yes i have seen that example, but didnt understand the meaning of numbers in
"lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop";
There are 3 numbers, if one is for download rate and one for upload then what does the third mean?

Do we need to create different groups for defferent speeds?
Is just adding groıps with attribute Cisco-Avpair with value of above long string enough for Cisco router to get requested rate?

If we need to add different groups for different rates then we need to change group of users when fair usega quota is over, this makes it difficult to write a fair usage policy in feeradius with unlang code becuase sql data cannot be updated by unlang. If setting rate-limit per user dynamically with Mikrotik router is possible then it should be for Cisco too.

balaji.bandi · ‎10-05-2018

"lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop";
There are 3 numbers, if one is for download rate and one for upload then what does the third mean?

This Committed Access Rate 1. bps 2. burst-normal 3. burst-max

Do we need to create different groups for defferent speeds?
Is just adding groıps with attribute Cisco-Avpair with value of above long string enough for Cisco router to get requested rate?

you can create Many groups if you like to, and put the user in that group, so he get based on the policies.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

e066377@yahoo.com · ‎10-05-2018

@balaji.bandi wrote:

"lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop";
There are 3 numbers, if one is for download rate and one for upload then what does the third mean?

This Committed Access Rate 1. bps 2. burst-normal 3. burst-max

Do we need to create different groups for defferent speeds?
Is just adding groıps with attribute Cisco-Avpair with value of above long string enough for Cisco router to get requested rate?

you can create Many groups if you like to, and put the user in that group, so he get based on the policies.

Thanks @balaji.bandi.

I think in ""lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop";"

output should mean download (or upload?) for the user, so we need another entry for input like:

"lcp:interface-config#1=rate-limit input 4000 2000 2000 conform-action continue exceed-action drop"; for upload rate-limit. Am i wrong?

And I understand that i need to add a new radius group for each different rate that ISP company wants to sell.

Regards.

a.arslan

e066377@yahoo.com · ‎10-05-2018

I may not need groups,
I just need to update reply in my rate and fair usage policy script as

update reply {
        &User-Name := "%{User-Name}
        &Cisco-Avpair = 'lcp:interface-config#1=rate-limit output bps burst-normal burst-max conform-action continue exceed-action drop'
        &Cisco-Avpair += 'lcp:interface-config#2=rate-limit input bps burst-normal burst-max conform-action continue exceed-action drop'
}

I am just not sure about lcp:interface-config#1 thing, if its number should increase or be same or it dpends on the configuration of the cisco router.

e066377@yahoo.com · ‎10-05-2018

I may not need groups

Updating reply item in my rate and fair usage policy unlang code as:

update reply {
        &User-Name := "%{User-Name}
        &Cisco-Avpair = 'lcp:interface-config#1=rate-limit output bps burst-normal burst-max conform-action continue exceed-action drop'
        &Cisco-Avpair += 'lcp:interface-config#2=rate-limit input bps burst-normal burst-max conform-action continue exceed-action drop'
}

should do the work, just not sure about lcp:interface-config#1, ,if the number should increase or be the same for upload pair.

Any suggestion and corrections will be greatly appreciated.