Table of Contents

RADIUS: Building Reply Attributes

Alex Moore Updated by Alex Moore

Prerequisites

To control (rate-limit) the speed of a CPE device on your network edge, you will first require an active RADIUS server that is configured to provide AAA services to your network. If you haven't done so yet, please follow this link to learn how to configure a RADIUS server for use with Sonar.

Overview

To effectively manage your network edge policies, Sonar uses RADIUS groups that aggregate user accounts, device types, and account statuses with custom RADIUS attributes and/or Vendor-Specific Attributes (VSAs).

You can find an article here about configuring RADIUS groups for generic uses. This article will show the example of rate limiting for different data services.

The examples below are specific to MikroTik devices as they use different RADIUS attributes to rate limit compared to other vendors. Please look up your vendor-specific attributes for whichever vendors NAS device or appliance you will be using.

Be sure to set your Change Of Authority settings in your RADIUS / Sonar configuration in order to propagate delinquency rules appropriately.

Most attributes are in the units of bits/sec.

Rate Limiting Based on Data Service

Scenario: Your ISP sells different internet packages, and you want to apply different rate limits with RADIUS policies for customers with a particular package.

Please refer to this article for building your desired data services, once your services are defined follow the rest of the instructions here to apply RADIUS based rate limits.

For our example, we will use a data service named Gold Internet

  1. Navigate to Settings > Networking > RADIUS, and click on the CREATE button.
  1. Give the group an appropriate name. In our example we'll be using "Gold Internet Rate Limit".
  2. Assign a priority to the group - in the event multiple policies apply that might conflict, the lower priority number will take precedence.
  3. Ensure Fall through is enabled to continue processing rules after evaluation.
Generally speaking, we will always want fall through enabled so that more than one RADIUS group can affect the same RADIUS user.
  1. Set the Account Status to "All account statuses".
  2. Set Delinquency to "Current" as the rate limit will typically only apply to accounts in good standing.
  3. Select the data service to apply the RADIUS Group to. In our case, we're selecting "Gold Internet"
  4. Click the 'CREATE' button to create the new policy.

Now that the policy is created, we will need to specify the appropriate rate limiting property for your NAS device, you will need to look up your vendor's particular attributes as they're not standardized. For the sake of our example we will tailor it to a MikroTik NAS.

  1. Click the 'Create RADIUS Group Reply Attribute' for the new group.
  2. Set the name to your vendor's rate-limiting attribute. You can look up your vendor's RADIUS VSA's for a dictionary of attributes supported by your NAS, but in our case we'll be using rx-rate.
The attribute we will create is called rx-rate, we would typically also create a second attribute to define a tx-rate attribute. The tx-rate will default to mirror the rx-rate attribute unless it is explicitly defined.
  1. Set the operator to "=".
Sonar currently supports the "=", ":=", and "+=" operators, but the full list and their functions are available here.
Details
= Adds the item to the reply list, but only if there is no other item of the same attribute.

:= Replaces any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added.

+= Adds the current attribute with value to the list of reply items.
  1. Set the value to the desired limited bit rate (in bits/sec). Consult your vendor documentation for formatting.
  2. Click the Create button.

Sonar will immediately apply the policy to the defined data services package.

You could also use this rate-limiting approach and set a reply value of 0 for delinquent accounts.

Example Attributes by Vendor

Below is a short list of vendors and their default rate shaping attribute names:

Vendor

Attribute(s)

Notes

MikroTik

rx-rate, tx-rate

in bits/sec, or append k or m

Cisco

Cisco-Avpair

Example Value:

lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop

The three sets of numbers are bps, burst-normal, burst-max.

Ubiquiti

WISPr-Bandwidth-Max-Up

WISPr-Bandwidth-Max-Down

in bits/sec

How did we do?

Setting Up CoA Proxy

Data Usage Available Methods

Contact