How can you rate limit a Hotspot using a radius server. Need to know the Key Word and what table/tables that we would have enter the information into.
Thanks>>>>>>

Hi,

Yes it is possible. In the reply from the radius server,(reply attributes) you can specify the rate limits for the clients.

here is what I use:
Ascend-Data-Rate=512000,Ascend-Xmit-Rate=1100000

This limits client to 1Mb download and 512k upload speeds. It works very well.

Regards,
Robert Macri

Is then posible to make profiles for different plans? Or will this change be accross the board? If so how do we apply those changes?
Thank you Jay

Use Groups.

In your Radius database in SQL, under the 'radgroupreply' table,
you'll see your groups listed. Just add your different acct-ascend entries with their respective values for each group or pool that you want to serve.

cpelect, you may use MikroTik-Rate-Limit attribute to set bandwidth limit, if you need burst too.

Not having much luck. Everything I've tried to limit a user's connection doesn't seem to work. If the user logs they can surf the web just fine. Yet as soon as they attempt to download a file or run a bandwidth test the server appears to just reset the connection. But if they try to surf the web again, it all works just fine. Although the connection itself isn't very stable.

I've tried various things in different tables in the database. I must be missing something that is causing it to error out.
These are all the SQL statements I've run trying to get this to work. Before I ran each one I made sure to remove all entries from all tables with the "test" user name as well as the group entry.

~Sean

In Hotspot you can create user profiles. Would it be possible to create two different profiles, one called Home and one called Business and each have their own rate limits. Then by using Radius be able to have it so that when a user logs in they will be forced to use one of these profiles?

For example:

- Bob logs in to the Hotspot server
- Radius accepts UserName and Password
- Radius responds by sending information back to the MT router telling it that Bob's account is to use the "Home" profile.

- Company XYZ logs in to the Hotspot server
- Radius accepts UserName and Password
- Radius responds by sending information back to the MT router telling it that Company XYZ's account is to use the "Business" profile.

If this is possible what entires must be made to the MySQL tables and what attribute word must be used to call the profile to apply to the user?

Also, still looking for a response to my previous post.

~Sean

Hey Sean

As far as I can see, the Third of your tries (of code in your previous post) is as close to what I have as can be, except I only have the Ascend-Data-Rate attribute in my Radgroupreply table, no Xmit rate. And it works perfectly.

Also, just make sure you can Telnet to your Auth Server's Radius port from your MT box.
i.e. See if it actually responds.
You can also try running the Radius daemon in Debug mode, by starting the daemon with the command "radiusd -x" or for verbose mode, "radiusd -X"
It'll dump everything on screen, and if the radius server does indeed receive your request, it'll show you any errors in there. Post any errors in reply, because I've encountered quite a few in setting up mine!! Took me 4 days. Will see if I can try and help.

As for Radius responding with a hotspot Profile name to use - I don't know if it is possible. I would imagine it is, but yes, I'd also like to know what attribute/value to set.
But I do something similar with my normal ppp Radius requests - why not just let radius handle that too? Quite simply, each user is put in a group, Hotspot profiles each have their own group, and just add your attributes in Radgroupreply - Including your throughput limit and time limit attributes.

Hope that helps./
Good luck!

-Krige

Forgot to mention -

When running Radius in Debug mode (radiusd -x)
you will see the machine dumping the "Access-Request received from..." stuff,
as well as the "Access Accept" list of attributes that it sends back to the MT box.
Check if the attributes you have specified is listed in the Access-Accept packet.

That's how I troubleshooted my Radius.
Good luck!

-Krige

Ok, this is what the Radius Server sees when the test account logs in.

rad_recv: Accounting-Request packet from host 64.114.71.1:34381, id=69, length=144
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00:19:7E:70:B0:90"
Called-Station-Id = "server1"
NAS-Port-Id = "ether4"
User-Name = "test"
NAS-Port = 2150629468
Acct-Session-Id = "8030005c"
Framed-IP-Address = 10.10.11.36
Mikrotik-Attr-10 = 0x0a0a0b22
Event-Timestamp = "Sep 24 2007 09:39:16 PDT"
NAS-Identifier = "CP_Telus_MT_BLSS"
NAS-IP-Address = 64.114.*.*
Acct-Delay-Time = 0
rad_lowerpair: User-Name now 'test'
rad_rmspace_pair: User-Name now 'test'
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 24
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 2150629468,,NAS-IP-Address = 64.114.71.1,Acct-Session-Id = "8030005c",User-Name = "test"'
rlm_acct_unique: Acct-Unique-Session-ID = "c5bff48f5d16e251".
modcall[preacct]: module "acct_unique" returns ok for request 24
modcall: group preacct returns ok for request 24
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 24
radius_xlat: 'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{Connect-Info}
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('8030005c', 'c5bff48f5d16e251', 'test', '', '64.114.71.1', '2150629468', 'Wireless-802.11', '2007-09-24 10:49:35', '0', '0', '', '', '', '0', '0', 'server1', '00:19:7E:70:B0:90', '', '', '', '10.10.11.36', '0', '0')'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
modcall[accounting]: module "sql" returns ok for request 24
modcall: group accounting returns ok for request 24
Sending Accounting-Response of id 69 to 64.114.71.1:34381
Finished request 24
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 23 ID 68 with timestamp 46f7f8af
Cleaning up request 24 ID 69 with timestamp 46f7f8af
Nothing to do. Sleeping until we see a request.

There are two warnings, but the first one doesn't seem to be the issue since all users who log into the system are generating this warning. The second warning though may be the problem, though I have no idea what this warning actually means.

The rate limiting does seem to be working though, the only issue is the MT box keeps resetting the connection of the test account. Bandwidth testing sites can never seem to finish their tests, and when I go to download a driver from nvidia.com I get the error:

Internet Explorer cannot download ...<driver_file_name>
The connection with the server was reset.

Any suggestions?

~Sean

Hmmm. Quite frankly, I'm stumped.

All you pasted here was Accounting Request and Response -
So I assume Access Request and Accept/Reject works?

But, as far as I read your dump - the Acct_Unique module is returning OK,
even with that error, so I guess it's non-fatal.
Do you have any entries of the xlat module in radiusd.conf? If so, where?
I don't use that module anywhere, but my accounting works fine.
The entries I have in Radiusd.conf under accounting is:
detail , acct_unique , unix , radutmp , sql .

I'm too tired to really think right now, but perhaps that shred of information might help.

I'll post again in the morning.

-Krige

Yes, Accept/Reject works fine. The test account is able to log in and surf the internet just fine. The issue is when attempting to download a file.

I checked the radiusd.conf file and I don't see any entries for the xlat module. I'm using this radiusd.conf I found on the Mikrotik wiki on my Radius server. http://www.ubermail.co.nz/mikrotik/radiusd.conf I haven't had any troubles using this configuration until now when trying to get this bandwidth limiting to work.

~Sean

Okay, so Radiusd.conf is fine - No probs there.

In my case, the Interim-Update feature of Mikrotik has been giving me some issues, but I haven't really paid any attention to sorting it out. For the moment, I've just disabled Interim-Update under PPP/AAA. Though I don't know how your accounting requests/responses can kill a link (or affect your data throughput) just like your car's speedometer doesn't affect how fast the car can drive. (Not quite the same thing, I know, but you get the idea...)

So I'm thinking it's an attribute in Access-Accept that may have syntax that's confuzzling MT. Run radiusd -x again, and post the output of an Access-Accept packet.
I'll compare it with mine and take it from there.

Cheers!
-Krige

Ok, I think I have the information you are looking for.

rad_recv: Access-Request packet from host 64.114.71.1:34511, id=96, length=198
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00:1B:24:37:92:BC"
Called-Station-Id = "server1"
NAS-Port-Id = "ether4"
User-Name = "test"
NAS-Port = 2150629475
Acct-Session-Id = "80300063"
Framed-IP-Address = 10.10.11.190
Mikrotik-Attr-10 = 0x0a0a0bbe
CHAP-Challenge = "1\270\316uM\326\335\350\202\313\2356\005\210\261\006"
CHAP-Password = "[\004\030+H\022\324\210\025*\003\033t\266\264\037\230"
Service-Type = 1
Vendor-14122-Attr-3 = 0x687474703a2f2f302e302e302e302f6c6f676f7574
NAS-Identifier = "CP_Telus_MT_BLSS"
NAS-IP-Address = 64.114.71.1
rlm_chap: Setting 'Auth-Type := CHAP'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
rlm_chap: login attempt by "test" with CHAP password
rlm_chap: Using clear text password test for user test authentication.
rlm_chap: chap user test authenticated succesfully
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
Sending Access-Accept of id 96 to 64.114.71.1:34511
Framed-Pool == "dhcp_pool2"
Ascend-Data-Rate == 512000
rad_recv: Accounting-Request packet from host 64.114.71.1:34511, id=97, length=144
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00:1B:24:37:92:BC"
Called-Station-Id = "server1"
NAS-Port-Id = "ether4"
User-Name = "test"
NAS-Port = 2150629475
Acct-Session-Id = "80300063"
Framed-IP-Address = 10.10.11.191
Mikrotik-Attr-10 = 0x0a0a0bbe
Event-Timestamp = "Sep 25 2007 10:46:03 PDT"
NAS-Identifier = "CP_Telus_MT_BLSS"
NAS-IP-Address = 64.114.71.1
Acct-Delay-Time = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4

Just looking at it myself nothing appears to be wrong. I've also noticed that when using the speed test provided by speedtest.net the download component works flawlessly and caps out at 512k, which is expected. The upload component of the test never completes successfully, seeming to lock up at random times.

~Sean

I think the problem has been found, namely the laptop I was using as a test machine. I tried out the test account on two other machines and it works without any problems. Thanks for all the help you offered.

~Sean

Haha! Good thing you tested other machines,
because I was completely stumped.

A while ago I've experienced a similar error with wireless clients.
But the common denominator was one of my wireless relay stations - a very powerful,
and very costly one. I ended up replacing the entire electronics assembly.
Seems to be working now. Should probably have thought of that one earlier.

Pleasure trying to help.
-Krige

At least this will provide good informtion on how to trouble shoot these types of problems in the future. We appreiciated your assistance and thank you again for your time.
Jay and Sean