We maintain a msql database of all logged-in ports/users, driven by the
start/stop records received by the radius server(s). Each start record
updates a unique key in the database of hostname.aa.net:port# like this
KEY=morrison.aa.net:30
Logins simply write in the username and start date in the record.
Logouts simply delete the username and start date in the record.
I actually call this table 'utmp' (my private joke).
There are two auxiliary tables, one called (amusingly) 'thumpers' and one
called 'limits'.
The 'limits' table is updated when an account is created if the account is
allowed to use multiple channels or modems simultaneously.
The 'thumpers' table simply consists of hostname:program_name pairs. Each
host may use a custom 'thumper' to reset the affected session.
Since I use more than one type of radius client, this was necessary.
So:
1. I have a fairly accurate picture at all times of who is on where.
(good for busy studies and capacity planning).
2. I can now look for duplicates and take any action I desire.
(good for enforcing our terms and conditions)
This is all done post-login of course, doing it pre-login is possible
but not worth the extra trouble (IMHO).
Currently, we scan the database once a minute.
Any duplicates are checked against the 'limits' database. Anyone over
their limit gets a 'nastygram' and the oldest session (accurate to the
second) is 'thumped'.
The thumper programs are smart scripts that can determine if the
hostname/username/port# combination are still valid, and refuse to
drop the session if they are not.
Synchronization of the database is a snap, all radius servers report to a
central database server. If the DB is down (damn seldom), we don't
perform the scans until it is back up, since the scanner runs on the db
host.
Network lags, delays, outages don't affect it since the smart thumper
cannot 'thump' a portmaster it cannot reach.
Resynchronzing the DB is easy, each portmaster sends a ?reboot? message
when it starts, we look for this and 'delete from utmp where hostname =
the rebooted host' to clear that pm's entries. If this record does not
arrive, the smart thumper will still not drop anyone who is on legitimately.
The linux based PPP servers do this at reboot time automatically, directly
updating database.
Since the thumping is done external to radius, radius login times are only
minimally affected (a few milliseconds at most).
This solution would scale pretty easily to handle 100 portmasters with
little sweat. That's only 3,000 ports and a query in a database of 3,000
is trivial.
1,000 portmasters and I might beef up the radius servers and the db
server(s) to sparc 5 instead of sparc 2. I'm also going to look very, very
hard at making sure my network is reliable and has enough bandwidth!
10,000 portmasters and I'm probably not even bothering with this stuff
anymore, I'm hiring someone else to do it for me.
BTW, just how many ISP's have 10,000 portmasters? :-)
Later,
-----------------------------------------------------------------------------
Joe Portman - Alternate Access Inc. Affordable, Reliable Internet
baron@aa.net Seattle: (206) 443-3408 Seattle: (206) 777-7777
Tacoma: (206) 927-6010 Federal Way: (206) 838-8457
Bellevue: (206) 455-8414 Olympia: (360) 458-7279
Enumclaw: (206) 862-9423 Black Diamond : (206) 288-8809
For free trial account: set modem to 8-n-1, login as "new"
For questions or support, call our voice line (206) 728-9585.
-----------------------------------------------------------------------------