dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1518
gunther_01
Premium Member
join:2004-03-29
Saybrook, IL

gunther_01

Premium Member

AAA methods?

We have gotten fairly heavy on the "metered bandwidth" questions, scenarios, pro's and con's lately.

My question is how are you doing the metering?

PPPoE?
ACL based AAA?
WPA2 enterprise based?

My problem is one that some of you will understand I would imagine. I have a network that wasn't built on "metering" clients. In a lot of ways it can, but in plenty of ways it isn't going to be easy. I think in one way or another not one site (except the 3 new ones) could be easily adapted to PPPoE. Not everything has that function on the client end for some reason. ACL based isn't available with UBNT "M" series, but WPA enterprise is. Etc. Etc.

Does anyone make a "device" that can go in-line to count the bytes (per IP) at the head end for something like this? It's just a head scratch-er from my perspective and network layout. Not that it can't be done. But easier would be nice LOL. Of course this is part of the major upgrade to a different billing system once I figure out how to implement radius everywhere also. PITA I tell ya.
gunther_01

gunther_01

Premium Member

Do you ever notice once you ask a question, you tend to find the answer? Simple MT IP accounting or netflows.. Duh (smacks forehead)

Now on to interface it with billing LOL
raytaylor
join:2009-07-28

raytaylor to gunther_01

Member

to gunther_01
I use some routing software that counts traffic from each IP on the network. It has its own internal user/password databse system and web interface for customer login.
Authenticates on leaving the walled garden with a web username and password page.
gunther_01
Premium Member
join:2004-03-29
Saybrook, IL

gunther_01

Premium Member

This is one of those different strokes for different folks things. I have used systems of that type with free Internet hotel systems. I don't always go to a web site when on my computer. More times than not I just use my PoP3 email, or login to my server via RDP.. In both of those cases I can't get any where until I open my web browser. It drives me nuts LOL. Plus in that case what do you do with customers who have their own VPN connections. NEVER open a browser to authenticate to that system. (add them to the white list I know) But still.

It's just not for me, but thanks for the help/suggestion.
raytaylor
join:2009-07-28

raytaylor to gunther_01

Member

to gunther_01
oh crap sorry i didnt realise you found an answer lol.
gunther_01
Premium Member
join:2004-03-29
Saybrook, IL

gunther_01

Premium Member

LOL. I'll take any suggestions. It's just going to cause an issue with our network and people I think.

Ideally something that can be transparent to the user, how bout' that?
raytaylor
join:2009-07-28

raytaylor to gunther_01

Member

to gunther_01
ok i should have explained further then

My system does do the web page login -but-
I have it set to automatic login for specific users at specific ip addresses, and the timeout set to 24 hours.

So if they turn on their computer, an http request is usually made by some sort of startup software before they even start using it which will automatically authenticate them, and open up all other protocols.

If they open up their email program and it hasnt already authenticated them, then it wont work untill they open a web page - no login screen as it is automatic. Just needs an http request to kick start the authentication.

With a 24 hour timeout, users can also go for weeks without needing to be authenticated (auto or manual) and even just a few kbytes of any protocol every 24 hours will keep them signed in.

Software I use is kerio winroute. It outputs an xml file every 5 mins which i use a php script to convert the information into a graph in the accounts portal based on their ip address.
mrbueno
join:2002-08-03
US

mrbueno to gunther_01

Member

to gunther_01
Here is a nice article on Cisco IP accounting:
»www.ciscopress.com/artic ··· p=764234

You don't need authentication to do accounting, as long as everyone has a static IP or range of IPs you can easily use some perl script to do the math and create an invoice.

You can interface this data with Freeside or other billing systems rather simply and you are on to good times.

Now, if you had Mikrotik APs it's as easily as a checkbox and a RADIUS server. UBNT should really add RADIUS MAC auth and accounting.
jcremin
join:2009-12-22
Siren, WI

jcremin

Member

One more option... If everyone has a static ip, you could stick a Mikrotik router in your network as a transparent bridge, then create a queue for each IP address. The queue doesn't have to do any limiting, but it should start tracking how much data flows through the router from each IP.
mrbueno
join:2002-08-03
US

mrbueno

Member

Clever. Also, Netflow compatible output can be derived from a Mikrotik device as well.
gunther_01
Premium Member
join:2004-03-29
Saybrook, IL

gunther_01

Premium Member

Looking towards some MT solution at this point. I am not much of a "coder" so any interfacing is going to be a challenge. Part of why I am looking at a stand alone solution is because UBNT doesn't support Radius ACL and accounting. My other gear does. But I don't think UBNT wants to here it. So whatever, I can try and re-invent the wheel LOL
joosebuck
join:2010-01-23
Farmington, MO

joosebuck

Member

Radius-Manager 3 does it all. I am currently experimenting with their 'Metered' billing configurations (which are included with their base system. you can do unlimited, time-based, download/upload/total traffic based, etc) and the versatility of the software coupled with how great Viktor is to responding to emails & requests almost forces me to recommend it. The only feature it lacks currently is automated credit card renewal, which Viktor promises will be in the next update.

Lightwave
Premium Member
join:2010-06-03
Tilbury, ON

Lightwave

Premium Member

said by joosebuck:

Radius-Manager 3 does it all. I am currently experimenting with their 'Metered' billing configurations (which are included with their base system. you can do unlimited, time-based, download/upload/total traffic based, etc) and the versatility of the software coupled with how great Viktor is to responding to emails & requests almost forces me to recommend it. The only feature it lacks currently is automated credit card renewal, which Viktor promises will be in the next update.

Gotta vote yes on this one.. I use it here.. great support and does most of what I want it to do.. including metered rates based on TimeofDay (off peak) hours.. Glue in your MT routers and its a pretty solid system. We peel out the data and feed it directly to our accounting systems for invoicing, billing etc.. Highly recommended and we only just started using it this past fall.
gunther_01
Premium Member
join:2004-03-29
Saybrook, IL

gunther_01

Premium Member

Well, I can't use PPPoE. Radius ACL isn't very accurate from what I have read with data statistics. So that leaves WPA enterprise, and or, IP accounting via Netflows or just IP accounting from an MT box on the wired side.

Urgh. LOL
voxframe
join:2010-08-02

voxframe to gunther_01

Member

to gunther_01
Why no PPPoE?
gunther_01
Premium Member
join:2004-03-29
Saybrook, IL

gunther_01

Premium Member

Because some of my clients don't support it. And I'm not going to change them, or buy routers (and add WDS to the mix) to make it work.

BIG pain essentialy
voxframe
join:2010-08-02

voxframe to gunther_01

Member

to gunther_01
Ahhh touchee
gunther_01
Premium Member
join:2004-03-29
Saybrook, IL

gunther_01

Premium Member

Yes, it is LOL. If two certain wireless manufacturers would get with the "program" and supply WISP's with the needed tools to make their networks run (notice I didn't say "needed tools to sell me products" because that's all they seem to care about) I wouldn't be in this position LOL

/Rant.. But really, come on already. I don't really like MT, and it seems they are the only ones that actually implement any feature you could ever need to make something work. UBNT doesn't have radius ACL, so I can't use that. Star doesn't have a PPPoE client (dumb as hell "insert things I can't say on here, HERE") so I can't use that. I'm not too sure WPA enterprise is supported in everything we have, so can't use that.

That leaves a head end solution. And for it to be transparent I think it will just have to be IP accounting methods. Problem is finding something that will keep track of the bytes, and all of that. I found a couple solutions but I think they aren't what I really want. And on the other end of the spectrum it's too danged much money LOL
bumkus
join:2001-12-04
Scottsbluff, NE

bumkus to gunther_01

Member

to gunther_01
We spent a lot of time evaluating this and here is what we found:

1) Mikrotik netflow information is NOT reliable.
2) There are no open source solutions that will handle this process
3) Radius was not an option, as we have multiple APs with differing levels of accuracy
4) PPPoE is giant piece of crap for wireless

In the end, we rolled our own system, with the following hardware:

1) Cisco Switch between our core and edge servers, with one port mirrored and hooked up to -
2) A dual core, 8gig RAM server with two ethernets, one for external access and the second one hooked up to the mirrored port.

The server software is using a netflows collection daemon, and dumps the flows into a mysql database. The mysql flows database is summarized into a second reports database, then the flows database is purged.

We then built an interface where customers could check on their usage, added cron jobs to email techs a daily report of everyone who is over quota and the same over quota reports to all customers who are over.

End of the month, we import the overage charges into Freeside.

So far, this methodology works, and we have been able to verify its accuracy. Hope it helps anyone else trying to figure out how to handle this.

Matt Larsen
vistabeam.com
wirelesscowboys.com
jcremin
join:2009-12-22
Siren, WI

jcremin

Member

said by bumkus:

PPPoE is giant piece of crap for wireless

Just curious about this part of your post. What problems did you have that brought you to come to that conclusion?

Reason I ask is because I have been running PPPoE over wireless for almost 4 years and have virtually no problems with it. It has a few ups and downs, but overall it has given me so much flexibility that I personally consider it well worth it.
bumkus
join:2001-12-04
Scottsbluff, NE

bumkus

Member

PPPoE added complexity in our customer interactions, reduced overhead and was not compatible with our standard network design. We had one acquisition that was using PPPoE and we just finished removing it last month. Our techs were thankful to be rid of it.

FWIW, my network was not designed with PPPoE in mind, and we have a pretty wide-ranging mix of APs and CPE units. I didn't like the restrictions that it put on us and the extra work that it took. It was much easier to just figure out a better way to collect our network usage information at one point than to try and implement PPPoE.

Matt Larsen
vistabeam.com
voxframe
join:2010-08-02

voxframe to gunther_01

Member

to gunther_01
Different strokes for different folkes

We use PPPoE now after doing ACL and such and never looked back. But also that is because our equipment is now 100% Ubnt and MT. We used to have some Delib in the mix as well as it was PPPoE capable when we started migrating over from ACL but most just failed one after another so we standardized on Ubnt and haven't looked back.

For us PPPoE actually really simplifies things as it handles everything from authentication to accounting to grouping clients and assigning things like static addresses and QoS etc.

PPPoE also has a nasty/good habit of showing problems in your network REALLY fast. You'll see all your marginal links drop frequently as well as any firmware/vendor bugs will light up in your face. In a way it was good for us as it forced us to deal with problem links that needed attention as well as re-engineering the network layout and such things.

For the installers it makes the world spin really easily as they just associate the radio, type in the user and pass on their ticket and POOF all works and the rest is in the hands of NOC. Even if something is done on the fly, the installers have a batch of spare usernames and passwords to get a client online in a pinch and then hand them off to NOC to be re-provisioned. No chances for IP conflicts or other problems with installer error etc.

Only bug we're now facing is with MT actually. Their AAA is messed up in the fact that when the MT box is really busy and it does an accounting update, it will hand the user's total usage as a cumulative OR a fresh start. (Normally it should only be one type and that's it, but for some reason it'll start handing one or the other) Which causes the RADIUS to now have a crapped AAA usage record for the user. Not good in today's UBB trend...
joosebuck
join:2010-01-23
Farmington, MO

joosebuck

Member

said by voxframe:

Different strokes for different folkes

We use PPPoE now after doing ACL and such and never looked back. But also that is because our equipment is now 100% Ubnt and MT. We used to have some Delib in the mix as well as it was PPPoE capable when we started migrating over from ACL but most just failed one after another so we standardized on Ubnt and haven't looked back.

For us PPPoE actually really simplifies things as it handles everything from authentication to accounting to grouping clients and assigning things like static addresses and QoS etc.

PPPoE also has a nasty/good habit of showing problems in your network REALLY fast. You'll see all your marginal links drop frequently as well as any firmware/vendor bugs will light up in your face. In a way it was good for us as it forced us to deal with problem links that needed attention as well as re-engineering the network layout and such things.

For the installers it makes the world spin really easily as they just associate the radio, type in the user and pass on their ticket and POOF all works and the rest is in the hands of NOC. Even if something is done on the fly, the installers have a batch of spare usernames and passwords to get a client online in a pinch and then hand them off to NOC to be re-provisioned. No chances for IP conflicts or other problems with installer error etc.

Only bug we're now facing is with MT actually. Their AAA is messed up in the fact that when the MT box is really busy and it does an accounting update, it will hand the user's total usage as a cumulative OR a fresh start. (Normally it should only be one type and that's it, but for some reason it'll start handing one or the other) Which causes the RADIUS to now have a crapped AAA usage record for the user. Not good in today's UBB trend...

Are you me?
jcremin
join:2009-12-22
Siren, WI

jcremin to voxframe

Member

to voxframe
said by voxframe:

PPPoE also has a nasty/good habit of showing problems in your network REALLY fast. You'll see all your marginal links drop frequently

While it can be a pain, I really like that too. I have some radio links with good signal that stay connected for months on end, giving me the indication that everything is fine. Sometimes those links aren't as good as they look fail to pass data, causing the the pppoe session to drop. I always keep my list of PPPoE sessions sorted by uptime. If I see certain customers in the "under 24 hours" list a lot, I can be pretty sure they are developing a problem.
said by voxframe:

For the installers it makes the world spin really easily as they just associate the radio, type in the user and pass on their ticket and POOF all works and the rest is in the hands of NOC.

Same here again... While I'm up mounting the antenna and running the cable (after a quick site survey to make sure signals are good of course) my non-techie assistant fills out paperwork, creates a username and password through an easy web interface, and then plugs their PPPoE info into the CPE and they are done... Ip addressing taken care of, speed limits set, nothing else to do except create the billing account when we get back to the office!

Obviously PPPoE isn't for everyone, but for those of us who can use it, it can sure make life easier!
voxframe
join:2010-08-02

voxframe to gunther_01

Member

to gunther_01
Bingo. Not meaning to preach PPPoE as it's not the best solution for everyone, it really depends on your setup and equipment. But I love it for what it does for us.

Normally for our installers everything is provisioned and programmed out of the office before it even makes it to the installers. The radios are just tagged with a basic client ticket and they just do the install and alignment (Site survey first of course) and don't need to bother with the PPPoE stuff or any of the normal setup. But it's there if they need to do some quick thinking and dancing in a special case.