Attempt to re-authenticate at the end of a session

Gunther Mayer gunther.mayer at googlemail.com
Wed Mar 26 21:00:06 UTC 2008 

wlan at mac.com wrote:
> You can indeed change session parameters in a CoA too. That method is 
> preferred over using acctupdate if you can do it (meaning, your chilli 
> isn't behind a NAT or has port forwarding for RADIUS).
Ah, seeing that I'm currently implementing a centralised VPN setup for 
all our nas's perhaps I should aim to use CoA rather.

But the challenge still remains and the more I think about it the more 
complex it gets. Let me elaborate: A given user gets a certain free 
daily portion of Internet but also purchased some Internet. The free 
traffic must be normal but the paid for traffic prioritised (QoS) so 
that the user is getting value for money.

How do I, without interrupting the session, fire an event (a QoS script) 
at the time when the free portion has been spent and the paid for 
portion takes over?

My current thoughts:

    * coa packet sometime before the "free" session times out, patch
      chilli to let me fire an event upon CoA. Gotcha: easy to do with
      time based but really tricky with volume accounting (how do you
      know when the user will run out given a max-octets?)
    * the original subject: patch chilli so that upon logout it will
      send accounting stop, followed immediately by a re-authentication
      attempt (with timeout of, say, 10 seconds) and only if
      re-authentication unsuccessful place the user back into the
      unauthenticated(dnat) state. Re-authentication would trigger a
      conup which can then do the QoS. Minor gotcha: users may get an
      extra few seconds of Internet should the radius server be slow to
      react (but perhaps re-authentication can be flagged by radius
      during session initialisation?)

Any other ideas?
>
> also, check out:
> http://coova.org/phpBB3/viewtopic.php?f=4&t=642&p=2501#p2501
>
> chilli without a tun/tap interface... what? :)
Interesting... though not something we would use anytime soon.

Gunther
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20080326/f97728d6/attachment.htm>

More information about the Chilli mailing list