Dell PowerConnect W Clearpass 100 Software Implementing Accounting-Based Autho - Page 9

There are two ways to achieve this, depending on the type of NAS equipment in use: • Vendor-specific attributes - Certain NAS vendors provide the capability to limit the amount of traffic in a particular session. For example:  The ChilliSpot-Max-Total-Octets attribute may be used with a coova-chilli NAC device.  The Colubris-AVPair attribute may be used with a HP/Colubris controller; set a suitable value for this attribute such as max-total-octets=200000000. This scenario is not described further in this document, although it is possible to implement this approach with the programmable attributes in the Amigopod's RADIUS User Roles. • Interim accounting with dynamic authorization - In the general case, if the NAS does not provide the ability to disconnect the session automatically, the session must be monitored by the RADIUS server using RADIUS Interim Accounting updates sent by the NAS. Once the traffic limit has been reached, the session must be terminated as it is no longer authorized. To do this, the dynamic authorization extensions to RADIUS defined in RFC 3576 are used. The remainder of this technical note describes how to implement this scenario. Refer to Diagram 3 to understand how dynamic authorization is used to disconnect a guest session once the traffic limit has been reached. Guest Internet browsing NAS Amigopod VMA Accounting-Request [1] Accounting-Response Accounting [2] Traffic limit exceeded Returned to login form [5] Accounting-Request Accounting-Response Disconnect-Request [4] Disconnect-Ack Accounting [3] States: Unauthorized Authenticating Authorized Diagram 3: Sequence diagram for interim accounting authorization During the course of the session, the NAS sends interim accounting updates, including the current traffic counters for the session, to the RADIUS server using an Accounting-Request Amigopod |Technical Note Implementing Accounting-Based Authorization |9