gunther_01 Premium Member join:2004-03-29 Saybrook, IL |
AAA methods?We have gotten fairly heavy on the "metered bandwidth" questions, scenarios, pro's and con's lately.
My question is how are you doing the metering?
PPPoE? ACL based AAA? WPA2 enterprise based?
My problem is one that some of you will understand I would imagine. I have a network that wasn't built on "metering" clients. In a lot of ways it can, but in plenty of ways it isn't going to be easy. I think in one way or another not one site (except the 3 new ones) could be easily adapted to PPPoE. Not everything has that function on the client end for some reason. ACL based isn't available with UBNT "M" series, but WPA enterprise is. Etc. Etc.
Does anyone make a "device" that can go in-line to count the bytes (per IP) at the head end for something like this? It's just a head scratch-er from my perspective and network layout. Not that it can't be done. But easier would be nice LOL. Of course this is part of the major upgrade to a different billing system once I figure out how to implement radius everywhere also. PITA I tell ya. |
|
gunther_01 |
Do you ever notice once you ask a question, you tend to find the answer? Simple MT IP accounting or netflows.. Duh (smacks forehead)
Now on to interface it with billing LOL |
|
|
to gunther_01
I use some routing software that counts traffic from each IP on the network. It has its own internal user/password databse system and web interface for customer login. Authenticates on leaving the walled garden with a web username and password page. |
|
gunther_01 Premium Member join:2004-03-29 Saybrook, IL |
This is one of those different strokes for different folks things. I have used systems of that type with free Internet hotel systems. I don't always go to a web site when on my computer. More times than not I just use my PoP3 email, or login to my server via RDP.. In both of those cases I can't get any where until I open my web browser. It drives me nuts LOL. Plus in that case what do you do with customers who have their own VPN connections. NEVER open a browser to authenticate to that system. (add them to the white list I know) But still.
It's just not for me, but thanks for the help/suggestion. |
|
|
to gunther_01
oh crap sorry i didnt realise you found an answer lol. |
|
gunther_01 Premium Member join:2004-03-29 Saybrook, IL |
LOL. I'll take any suggestions. It's just going to cause an issue with our network and people I think. Ideally something that can be transparent to the user, how bout' that? |
|
|
|
to gunther_01
ok i should have explained further then
My system does do the web page login -but- I have it set to automatic login for specific users at specific ip addresses, and the timeout set to 24 hours.
So if they turn on their computer, an http request is usually made by some sort of startup software before they even start using it which will automatically authenticate them, and open up all other protocols.
If they open up their email program and it hasnt already authenticated them, then it wont work untill they open a web page - no login screen as it is automatic. Just needs an http request to kick start the authentication.
With a 24 hour timeout, users can also go for weeks without needing to be authenticated (auto or manual) and even just a few kbytes of any protocol every 24 hours will keep them signed in.
Software I use is kerio winroute. It outputs an xml file every 5 mins which i use a php script to convert the information into a graph in the accounts portal based on their ip address. |
|
|
to gunther_01
Here is a nice article on Cisco IP accounting: » www.ciscopress.com/artic ··· p=764234You don't need authentication to do accounting, as long as everyone has a static IP or range of IPs you can easily use some perl script to do the math and create an invoice. You can interface this data with Freeside or other billing systems rather simply and you are on to good times. Now, if you had Mikrotik APs it's as easily as a checkbox and a RADIUS server. UBNT should really add RADIUS MAC auth and accounting. |
|
|
One more option... If everyone has a static ip, you could stick a Mikrotik router in your network as a transparent bridge, then create a queue for each IP address. The queue doesn't have to do any limiting, but it should start tracking how much data flows through the router from each IP. |
|
|
Clever. Also, Netflow compatible output can be derived from a Mikrotik device as well. |
|
gunther_01 Premium Member join:2004-03-29 Saybrook, IL |
Looking towards some MT solution at this point. I am not much of a "coder" so any interfacing is going to be a challenge. Part of why I am looking at a stand alone solution is because UBNT doesn't support Radius ACL and accounting. My other gear does. But I don't think UBNT wants to here it. So whatever, I can try and re-invent the wheel LOL |
|
|
Radius-Manager 3 does it all. I am currently experimenting with their 'Metered' billing configurations (which are included with their base system. you can do unlimited, time-based, download/upload/total traffic based, etc) and the versatility of the software coupled with how great Viktor is to responding to emails & requests almost forces me to recommend it. The only feature it lacks currently is automated credit card renewal, which Viktor promises will be in the next update. |
|
Lightwave Premium Member join:2010-06-03 Tilbury, ON |
said by joosebuck:Radius-Manager 3 does it all. I am currently experimenting with their 'Metered' billing configurations (which are included with their base system. you can do unlimited, time-based, download/upload/total traffic based, etc) and the versatility of the software coupled with how great Viktor is to responding to emails & requests almost forces me to recommend it. The only feature it lacks currently is automated credit card renewal, which Viktor promises will be in the next update. Gotta vote yes on this one.. I use it here.. great support and does most of what I want it to do.. including metered rates based on TimeofDay (off peak) hours.. Glue in your MT routers and its a pretty solid system. We peel out the data and feed it directly to our accounting systems for invoicing, billing etc.. Highly recommended and we only just started using it this past fall. |
|
gunther_01 Premium Member join:2004-03-29 Saybrook, IL |
Well, I can't use PPPoE. Radius ACL isn't very accurate from what I have read with data statistics. So that leaves WPA enterprise, and or, IP accounting via Netflows or just IP accounting from an MT box on the wired side.
Urgh. LOL |
|
|
to gunther_01
Why no PPPoE? |
|
gunther_01 Premium Member join:2004-03-29 Saybrook, IL |
Because some of my clients don't support it. And I'm not going to change them, or buy routers (and add WDS to the mix) to make it work.
BIG pain essentialy |
|
|
to gunther_01
Ahhh touchee |
|
gunther_01 Premium Member join:2004-03-29 Saybrook, IL |
Yes, it is LOL. If two certain wireless manufacturers would get with the "program" and supply WISP's with the needed tools to make their networks run (notice I didn't say "needed tools to sell me products" because that's all they seem to care about) I wouldn't be in this position LOL
/Rant.. But really, come on already. I don't really like MT, and it seems they are the only ones that actually implement any feature you could ever need to make something work. UBNT doesn't have radius ACL, so I can't use that. Star doesn't have a PPPoE client (dumb as hell "insert things I can't say on here, HERE") so I can't use that. I'm not too sure WPA enterprise is supported in everything we have, so can't use that.
That leaves a head end solution. And for it to be transparent I think it will just have to be IP accounting methods. Problem is finding something that will keep track of the bytes, and all of that. I found a couple solutions but I think they aren't what I really want. And on the other end of the spectrum it's too danged much money LOL |
|
bumkus join:2001-12-04 Scottsbluff, NE |
to gunther_01
We spent a lot of time evaluating this and here is what we found:
1) Mikrotik netflow information is NOT reliable. 2) There are no open source solutions that will handle this process 3) Radius was not an option, as we have multiple APs with differing levels of accuracy 4) PPPoE is giant piece of crap for wireless
In the end, we rolled our own system, with the following hardware:
1) Cisco Switch between our core and edge servers, with one port mirrored and hooked up to - 2) A dual core, 8gig RAM server with two ethernets, one for external access and the second one hooked up to the mirrored port.
The server software is using a netflows collection daemon, and dumps the flows into a mysql database. The mysql flows database is summarized into a second reports database, then the flows database is purged.
We then built an interface where customers could check on their usage, added cron jobs to email techs a daily report of everyone who is over quota and the same over quota reports to all customers who are over.
End of the month, we import the overage charges into Freeside.
So far, this methodology works, and we have been able to verify its accuracy. Hope it helps anyone else trying to figure out how to handle this.
Matt Larsen vistabeam.com wirelesscowboys.com |
|
|
said by bumkus:PPPoE is giant piece of crap for wireless Just curious about this part of your post. What problems did you have that brought you to come to that conclusion? Reason I ask is because I have been running PPPoE over wireless for almost 4 years and have virtually no problems with it. It has a few ups and downs, but overall it has given me so much flexibility that I personally consider it well worth it. |
|
bumkus join:2001-12-04 Scottsbluff, NE |
bumkus
Member
2011-Jan-2 11:16 pm
PPPoE added complexity in our customer interactions, reduced overhead and was not compatible with our standard network design. We had one acquisition that was using PPPoE and we just finished removing it last month. Our techs were thankful to be rid of it.
FWIW, my network was not designed with PPPoE in mind, and we have a pretty wide-ranging mix of APs and CPE units. I didn't like the restrictions that it put on us and the extra work that it took. It was much easier to just figure out a better way to collect our network usage information at one point than to try and implement PPPoE.
Matt Larsen vistabeam.com |
|
|
to gunther_01
Different strokes for different folkes We use PPPoE now after doing ACL and such and never looked back. But also that is because our equipment is now 100% Ubnt and MT. We used to have some Delib in the mix as well as it was PPPoE capable when we started migrating over from ACL but most just failed one after another so we standardized on Ubnt and haven't looked back. For us PPPoE actually really simplifies things as it handles everything from authentication to accounting to grouping clients and assigning things like static addresses and QoS etc. PPPoE also has a nasty/good habit of showing problems in your network REALLY fast. You'll see all your marginal links drop frequently as well as any firmware/vendor bugs will light up in your face. In a way it was good for us as it forced us to deal with problem links that needed attention as well as re-engineering the network layout and such things. For the installers it makes the world spin really easily as they just associate the radio, type in the user and pass on their ticket and POOF all works and the rest is in the hands of NOC. Even if something is done on the fly, the installers have a batch of spare usernames and passwords to get a client online in a pinch and then hand them off to NOC to be re-provisioned. No chances for IP conflicts or other problems with installer error etc. Only bug we're now facing is with MT actually. Their AAA is messed up in the fact that when the MT box is really busy and it does an accounting update, it will hand the user's total usage as a cumulative OR a fresh start. (Normally it should only be one type and that's it, but for some reason it'll start handing one or the other) Which causes the RADIUS to now have a crapped AAA usage record for the user. Not good in today's UBB trend... |
|
|
said by voxframe:Different strokes for different folkes
We use PPPoE now after doing ACL and such and never looked back. But also that is because our equipment is now 100% Ubnt and MT. We used to have some Delib in the mix as well as it was PPPoE capable when we started migrating over from ACL but most just failed one after another so we standardized on Ubnt and haven't looked back.
For us PPPoE actually really simplifies things as it handles everything from authentication to accounting to grouping clients and assigning things like static addresses and QoS etc.
PPPoE also has a nasty/good habit of showing problems in your network REALLY fast. You'll see all your marginal links drop frequently as well as any firmware/vendor bugs will light up in your face. In a way it was good for us as it forced us to deal with problem links that needed attention as well as re-engineering the network layout and such things.
For the installers it makes the world spin really easily as they just associate the radio, type in the user and pass on their ticket and POOF all works and the rest is in the hands of NOC. Even if something is done on the fly, the installers have a batch of spare usernames and passwords to get a client online in a pinch and then hand them off to NOC to be re-provisioned. No chances for IP conflicts or other problems with installer error etc.
Only bug we're now facing is with MT actually. Their AAA is messed up in the fact that when the MT box is really busy and it does an accounting update, it will hand the user's total usage as a cumulative OR a fresh start. (Normally it should only be one type and that's it, but for some reason it'll start handing one or the other) Which causes the RADIUS to now have a crapped AAA usage record for the user. Not good in today's UBB trend... Are you me? |
|
|
to voxframe
said by voxframe:PPPoE also has a nasty/good habit of showing problems in your network REALLY fast. You'll see all your marginal links drop frequently While it can be a pain, I really like that too. I have some radio links with good signal that stay connected for months on end, giving me the indication that everything is fine. Sometimes those links aren't as good as they look fail to pass data, causing the the pppoe session to drop. I always keep my list of PPPoE sessions sorted by uptime. If I see certain customers in the "under 24 hours" list a lot, I can be pretty sure they are developing a problem. said by voxframe:For the installers it makes the world spin really easily as they just associate the radio, type in the user and pass on their ticket and POOF all works and the rest is in the hands of NOC. Same here again... While I'm up mounting the antenna and running the cable (after a quick site survey to make sure signals are good of course) my non-techie assistant fills out paperwork, creates a username and password through an easy web interface, and then plugs their PPPoE info into the CPE and they are done... Ip addressing taken care of, speed limits set, nothing else to do except create the billing account when we get back to the office! Obviously PPPoE isn't for everyone, but for those of us who can use it, it can sure make life easier! |
|
|
to gunther_01
Bingo. Not meaning to preach PPPoE as it's not the best solution for everyone, it really depends on your setup and equipment. But I love it for what it does for us.
Normally for our installers everything is provisioned and programmed out of the office before it even makes it to the installers. The radios are just tagged with a basic client ticket and they just do the install and alignment (Site survey first of course) and don't need to bother with the PPPoE stuff or any of the normal setup. But it's there if they need to do some quick thinking and dancing in a special case. |
|