- Multi-Instance Service
- Proxy based on User-Name Prefix
- Controlling User Speed based on Bandwidth Usage (Fair Usage Policy)
Multi-Instance Service
Contoh Use Case
Ketika kita ingin menggunakan 1 radius yang berisi banyak layanan dan mungkin memiliki database yang berbeda
Configuration
- Copy default configuration
$ cd /etc/freeradius/3.0/sites-available/
$ cp default service-a
$ cp default service-b
$ unlink ../mods-enabled/default- Ganti beberapa default parameter
$ vim /etc/freeradius/3.0/sites-available/service-aserver default > server service-b
port listen auth > port = 18121
port listen acct > port = 18131
port listen auth ipv6 > port = 18121
port listen acct ipv6 > port = 18131
:%s/-sql/sql-service-a/g$ vim /etc/freeradius/3.0/sites-available/service-b server default > server service-b
port listen auth > port = 18122
port listen acct > port = 18132
port listen auth ipv6 > port = 18122
port listen acct ipv6 > port = 18132
:%s/-sql/sql-service-b/g- Symlink ke enabled
ln -s /etc/freeradius/3.0/sites-available/sql-service-a /etc/freeradius/3.0/sites-enabled/sql-service-a
ln -s /etc/freeradius/3.0/sites-available/sql-service-b /etc/freeradius/3.0/sites-enabled/sql-service-b- Selanjutnya copy default module SQL
$ cd /etc/freeradius/3.0/mods-available/
$ cp sql sql-service-a
$ sql sql-service-b
$ unlink ../mods-enabled/sql- Ganti beberapa parameter
$ vim /etc/freeradius/3.0/mods-available/sql-service-asql { > sql sql-service-a {
radius_db = "radius" > radius_db = "radius_service_a"
comment group_attribute = "SQL-Group"
uncomment group_attribute = "${.:instance}-SQL-Group"$ vim /etc/freeradius/3.0/mods-available/sql-service-bsql { > sql sql-service-b {
radius_db = "radius" > radius_db = "radius_service_b"
comment group_attribute = "SQL-Group"
uncomment group_attribute = "${.:instance}-SQL-Group"- Symlink ke enabled
ln -s /etc/freeradius/3.0/mods-available/sql-service-a /etc/freeradius/3.0/mods-enabled/sql-service-a
ln -s /etc/freeradius/3.0/mods-available/sql-service-b /etc/freeradius/3.0/mods-enabled/sql-service-bConclusion
Ketika ada Request ke port 18121 maka akan masuk service A begitupun yang service B
Proxy based on User-Name Prefix
Use Case
Ketika ingin mengarahkan user dengan prefix tertentu ke radius server tertentu
Configuration
- Edit file proxy.conf
$ vim /etc/freeradius/3.0/proxy.confDefine home_server
home_server serviceA_server {
type = auth
ipaddr = 10.10.10.10
port = 1812
secret = proxy2024
response_window = 20
zombie_period = 40
status_check = none
}
home_server serviceB_server {
type = auth
ipaddr = 10.10.10.11
port = 1812
secret = proxy2024
response_window = 20
zombie_period = 40
status_check = none
}Define home_server_pool
home_server_pool serverA_pool {
type = fail-over
home_server = serviceA_server
}
home_server_pool serverB_pool {
type = fail-over
home_server = serviceB_server
}Define realm
realm serviceA_realm {
pool = serviceA_pool
nostrip
}
realm serviceB_realm {
pool = ServiceB_pool
nostrip
}- Edit file default sites
$ vim /etc/freeradius/3.0/proxy.confPada section authorize tambahkan baris berikut ini
authorize {
if (User-Name =~ /^AAA/) {
update control {
Proxy-To-Realm := "serviceA_realm"
}
}
elsif (User-Name =~ /^BBB/) {
update control {
Proxy-To-Realm := "serviceB_realm"
}
}Conclusion
Ketika ada Access-Request maka User-Name akan di filter terlebih dahulu di authorize section tersebut. Jika user memiliki “AAA” didepan nama usernya maka dia akan terlempar di realm ServiceA
Controlling User Speed based on Bandwidth Usage (Fair Usage Policy)
Use case
Limitasi kecepatan user tergantung pada pemakaian bandwidth user harian
Configuration
Create table baru, table ini akan digunakan sebagai untuk menyimpan total pemakaian bandwidth
CREATE TABLE radlimit (username VARCHAR(255) PRIMARY KEY, limit_pemakaian BIGINT DEFAULT 0, total_bw_1d BIGINT NOT NULL DEFAULT 0, degrade_bw_1d varchar(255), last_updated TIMESTAMP DEFAULT current_timestamp ON UPDATE current_timestamp();Add line di /etc/freeradius/3.0/sites-available/default di section accounting paling bawah
update control {
#cek total bandwidth 1 hari
Tmp-String-0 := "%{sql: select total_bw_1d from radlimit where username='%{User-Name}'}"
# cek limit pemakaian
Tmp-String-1 := "%{sql: select limit_pemakaian from radlimit where username='%{User-Name}'}"
# cek speed setelah setelah limit
Tmp-String-2 := "%{sql: select degrade_bw_1d from radlimit where username='%{User-Name}'}"
# cek limit awal user
Tmp-String-3 := "%{sql: select value from radreply where username='%{User-Name}' and attribute='Mikrotik-Rate-Limit'}"
}
# cek total bandwidth > limit pemakaian
if ("%{expr:&control:Tmp-String-0}" >= "%{&control:Tmp-String-1}") {
# agar tidak mengirim coa-request terus menurus ke nas
if "%{&Mikrotik-Rate-Limit}" != "%{&control:Tmp-String-2}" {
update coa {
Mikrotik-Rate-Limit := "%{&control:Tmp-String-2}"
}
}
} else {
# agar tidak mengirim coa-request terus menurus ke nas
if "%{&Mikrotik-Rate-Limit}" != "%{&control:Tmp-String-3}" {
update coa {
Mikrotik-Rate-Limit := "%{&control:Tmp-String-3}"
}
}
}Add crontab, ini digunakan untuk terus mengupdate informasi pemakaian bandwidth user setiap menit
*/1 * * * * mysql -u root radius -e "INSERT INTO radlimit (username, total_bw_1d) SELECT username, SUM(acctinputoctets) + SUM(acctoutputoctets) FROM radacct WHERE acctupdatetime >= NOW() - INTERVAL 1 DAY GROUP BY username ON DUPLICATE KEY UPDATE total_bw_1d = values(total_bw_1d), last_updated = NOW();"Akan diupdate ketika ada ide
Comments