CoovaChilli RADIUS

Introduction

CoovaChilli uses RADIUS to provision access and to provide accounting.

Direction of Input and Output

The original ChilliSpot defined input and output as being data uploaded and downloaded by the client respectively. CoovaChilli, however, uses the reverse meaning (per default) making it more compatible with some other commercial access controllers.

In RFC 2866, it says:

Acct-Input-Octets
This attribute indicates how many octets have been received from the port over the course of this service being provided.
Acct-Output-Octets
This attribute indicates how many octets have been sent to the port in the course of delivering this service.

However, this is not very conclusive as it depends on what side of the port you are referring to. In the manual for a popular commercial access controller, is says:

Acct-Input-Octets
Number of octets/bytes received by the customer.
Acct-Output-Octets
Number of octets/bytes sent by the customer.

This is the definition adopted by CoovaChilli - one of the very first changes made to ChilliSpot, for use with back-end systems also supporting commercial access controllers. See Vendor Accounting Practices below for more information.

For backward compatibility, use the chilli option swapoctets to toggle back to the original meanings of input and output.

Access Provisioning

The following RADIUS attributes are used to place limits on a session authorized by a RADIUS Access-Accept response:

Session-Timeout = seconds
Standard RADIUS attribute (defined in RFC 2865) for setting the maximum session timeout. The user is logged out after this amount of time; session duration. Also see the defsessiontimeout option in chilli.conf(5).
Idle-Timeout = seconds
Standard RADIUS attribute (defined in RFC 2865) for setting the maximum idle timeout. The user is logged out after this amount of time of inactivity (no traffic). Also see the defidletimeout option in chilli.conf(5).
Acct-Interim-Interval = seconds
Standard RADIUS attributes (defined in RFC 2869) for setting the accounting interim update interval - the rate at which accounting update packets are sent. Also see the definteriminterval option in chilli.conf(5).
ChilliSpot-Max-Input-Octets = bytes
ChilliSpot-Max-Output-Octets = bytes
ChilliSpot-Max-Total-Octets = bytes
Chilli vendor specific attributes for setting the max in, out, or total bytes transferred for the session. See above for the meaning of input and output.
WISPr-Bandwidth-Max-Up = bits/second
WISPr-Bandwidth-Max-Down = bits/second
WISPr vendor specific attributes for setting the maximum bandwidth rate in bits per second.
ChilliSpot-Bandwidth-Max-Up = kbits/second
ChilliSpot-Bandwidth-Max-Down = kbits/second
Chilli vendor specific attributes for setting the maximum bandwidth rate in kbits per second. Internally, chilli multiplies this value by 1000 in converting to bits per second.

In all cases, the ChilliSpot vendor specific attributes override WISPr attribute values. However, using the WISPr attributes is perhaps the more standard way to go.

Session Accounting

In RADIUS Accounting, the following attributes are used to report session statistics:

Acct-Session-Time = seconds
Duration of session in seconds.
Acct-Input-Octets = bytes
Acct-Output-Octets = bytes
The lower 32-bit value of the number of bytes of input and output (see above for a discussion of the meaning of input vs. output).
Acct-Input-Gigawords = gigawords
Acct-Output-Gigawords = gigawords
The upper 32-bit value of the number of bytes of input and output; or how many times the above attributes have rolled-over the 32-bit value.
Acct-Input-Packets = num-packets
Acct-Output-Packets = num-packets
The number of packets carrying input or output octets.

RADIUS Attributes

RADIUS Servers

Vendor Accounting Practices

Vendor Perspective Notes
Bluesocket Client
ChilliSpot AC
Cisco AC
Colubris Client
CoovaChilli Client Reversible with option swapoctets
Gemtek Client Reversible with option Reverse Accounting set to enabled
Hostapd AC ?
HP ProCurve Client ?
LANCOM Client ?
Nomadix Client

RADIUSAcct.jpg

Perspectives:
AC
Input is data from the Client to the NAS, and Output is data to the Client from the NAS
Client *
Input is data from the NAS to the Client, and Output is data to the NAS from the Client

Notes:

RFC 2866
The RADIUS Accounting RFC states that Acct-Input-Octets indicates how many octets have been received from the port over the course of this service being provided - Although not very clearly stated, port should be seen from the point of view of the AC/NAS, not the Client (* those with the Client perspective are not RFC compliant).
RFC 4005
The Diameter NAS Application RFC states that Accounting-Input-Octets contains the number of octets received from the user which also (and perhaps more clearly) takes the point of view of the AC/NAS. In some early drafts, there was a mistake where it said this attribute contains the number of octets in IP packets received by the user.
GSM WLAN Roaming Guidelines
This document defines Acct-Input-Octets as the volume of the downstream traffic of the user - not very clear in the meaning, but seems to suggest the Client point of view.
3GPP TS 29.234
This document defines Acct-Input-Octets as "the number of octets sent by the WLAN UE over the course of the session. According to IETF RFC 2866"
IETF Opinions
In the RFC 2866 clarifications thread

Related RFCs

Supported, at least partially:

  • RFC 2865 - Remote Authentication Dial In User Service (RADIUS)
  • RFC 2866 - RADIUS Accounting
  • RFC 2869 - RADIUS Extensions
  • RFC 3576 - Dynamic Authorization Extensions to RADIUS

Others of interest:

  • RFC 3162 - RADIUS and IPv6
  • RFC 3580 - IEEE 802.1X RADIUS Usage Guidelines
  • RFC 4372 - Chargeable User Identity
  • RFC 4675 - RADIUS Attributes for Virtual LAN and Priority Support
  • RFC 4849 - RADIUS Filter Rule Attribute