AMIGOPOD PowerConnect W Clearpass 100 Software Manual page 9

There are two ways to achieve this, depending on the type of NAS equipment in use:
•
Vendor-specific attributes — Certain NAS vendors provide the capability to limit the
amount of traffic in a particular session. For example:

The ChilliSpot-Max-Total-Octets attribute may be used with a coova-chilli NAC
device.

The Colubris-AVPair attribute may be used with a HP/Colubris controller; set a
suitable value for this attribute such as max-total-octets=200000000.
This scenario is not described further in this document, although it is possible to
implement this approach with the programmable attributes in the Amigopod's
RADIUS User Roles.
•
Interim accounting with dynamic authorization — In the general case, if the NAS does
not provide the ability to disconnect the session automatically, the session must be
monitored by the RADIUS server using RADIUS Interim Accounting updates sent by
the NAS.
Once the traffic limit has been reached, the session must be terminated as it is no
longer authorized. To do this, the dynamic authorization extensions to RADIUS
defined in RFC 3576 are used. The remainder of this technical note describes how to
implement this scenario.
Refer to Diagram 3 to understand how dynamic authorization is used to disconnect a guest
session once the traffic limit has been reached.
Guest
Internet browsing
Traffic limit exceeded
Returned to login form
States:
Diagram 3: Sequence diagram for interim accounting authorization
During the course of the session, the NAS sends interim accounting updates, including the
current traffic counters for the session, to the RADIUS server using an Accounting-Request
Amigopod |Technical Note
NAS
[5]
Unauthorized
Amigopod VMA
Accounting-Request [1]
Accounting-Response
Accounting-Request
Accounting-Response
Disconnect-Request [4]
Disconnect-Ack
Authenticating
Implementing Accounting-Based Authorization
Accounting [2]
[3]
Accounting
Authorized
|9