Table of Contents

RADIUS: Building Reply Attributes

Read Time: 3 mins

Prerequisites

To control (rate-limit) the speed of a CPE device on your network edge, you will first require an active RADIUS server that is configured to provide AAA services to your network. If you haven't done so yet, please follow this link to learn how to configure a RADIUS server for use with Sonar.

Overview

To effectively manage your network edge policies, Sonar uses RADIUS groups that aggregate user accounts, device types, and account statuses with custom RADIUS attributes and Vendor-Specific Attributes (VSAs).

You can find an article here about configuring RADIUS groups for generic uses. This article will show the example of rate limiting for different data services.

The examples below are specific to MikroTik devices, as they use different RADIUS attributes to rate limit compared to other vendors. Please look up your vendor-specific attributes for whichever vendor's NAS device or appliance you will be using.

Be sure to set your Change Of Authority settings in your RADIUS / Sonar configuration to propagate delinquency rules appropriately.

Most attributes are in the units of bits/sec.

Rate Limiting Based on Data Service

Scenario: Your ISP sells different internet packages, and you want to apply different rate limits with RADIUS policies for customers with a particular package.

Please refer to this article for building your desired data services, once your services are defined, follow the rest of the instructions here to apply RADIUS-based rate limits.

For our example, we will use a data service named Gold Internet

  1. Navigate to Settings > Networking > RADIUS Groups, and click on the "Create RADIUS Group" button.
  2. Give the group an appropriate name. In our example, we'll be using "Gold Internet Rate Limit".
  3. Assign a priority to the group – in the event multiple policies apply that might conflict, the lower priority number will take precedence.
  4. Ensure Fall through is enabled to continue processing rules after evaluation.
Generally speaking, we will always want fall-through enabled so that more than one RADIUS group can affect the same RADIUS user.
  1. Set the Account Status to "All account statuses".
  2. Set Delinquency to "Current" as the rate limit will typically only apply to accounts in good standing.
  3. Select the data service to apply the RADIUS Group to. In our case, we're selecting Gold Internet.
  4. Click the "Create" button to create the new policy.
When creating a RADIUS Group, each new row can be considered an "AND" statement, while adding multiple values to a row could be considered an "OR" statement:

Now that the policy is created, we will need to specify the appropriate rate-limiting property for your NAS device, you will need to look up your vendor's particular attributes as they're not standardized. For our example, we will tailor it to a MikroTik NAS.

  1. Click the 'Create RADIUS Group Reply Attribute' for the new group.
  2. Set the name to your vendor's rate-limiting attribute. You can look up your vendor's RADIUS VSA's for a dictionary of attributes supported by your NAS, but in our case we'll be using rx-rate.
The attribute we will create is called rx-rate, we would typically also create a second attribute to define a tx-rate attribute. The tx-rate will default to mirror the rx-rate attribute, unless it is explicitly defined.
  1. Set the operator to "=".
Sonar currently supports the "=", ":=", and "+=" operators, but the full list and their functions are available here.
Details
= Adds the item to the reply list, but only if there is no other item of the same attribute.

:= Replaces any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added.

+= Adds the current attribute with value to the list of reply items.
  1. Set the value to the desired limited bit rate (in bits/sec). Consult your vendor documentation for formatting.
  2. Click the Create button.

Sonar will immediately apply the policy to the defined data services package.

You could also use this rate-limiting approach and set a reply value of 0 for delinquent accounts.

Example Attributes by Vendor

Below is a short list of vendors and their default rate shaping attribute names:

MikroTik

in bits/sec, or append "k" or "m"
  1. rx-rate
  2. tx-rate
For more information, click here.

Cisco

  1. Cisco-Avpair
    1. Example Value: lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop
The three sets of numbers are bps, burst-normal, burst-max.
For more information, click here.

Juniper

See here and here for details.
  1. Jnpr-CoS-Parameter-Type:0
    1. Example Value: T02 100m indicates 100 Mbps downstream speed

Ubiquiti

in bits/sec
  1. WISPr-Bandwidth-Max-Up
  2. WISPr-Bandwidth-Max-Down
For more information, click here.

How did we do?

RADIUS: Build-Out & Integration with Sonar

Setting Up CoA Proxy

Contact