radius:rad_fup [RADIUSdesk]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
<nav type="pills" justified="false">
  * [[:user_manuals|Back to Documentation]]
  * [[:radius:rad_fup|Fair Usage Policy (FUP)]]
</nav>

====== Fair Usage Policy (FUP) ======
===== Introduction =====
  * As of January 2023, RADIUSdesk now includes a powerful FUP package.
  * In collaboration with our customers, we have developed an innovative and flexible implementation that packs a punch.
  * This document first discusses the various FUP requirements that are met with this implementation.
  * Then we will create a practical FUP profile.
  * Finally, we will show you where you can tweak things if necessary for your specific environment or implementation.

===== FUP implementation =====
  * In South Africa some of the major ISPs implement multiple layers of service for their FUP.
     * Bandwidth is reduced when a certain amount of data is consumed over the course of a month.
     * A further bandwidth reduction occurs when a second data usage milestone is reached.
     * Finally, when a third milestone is reached, bandwidth is throttled to a trickle.
     * When the new month begins, everything reverts back to normal speed.
  * Another requirement is the ability to assign an IP pool to a specific service level.
      * This is typically the case with ISPs that use Mikrotik PPPoE servers.
      * For example, there is a Premium IP Pool and a Best Effort IP Pool.
      * A user starts in the premium IP pool up to the point where their specified FUP is triggered.
      * After that, they are moved to the best-effort IP pool.
  * Communities using RADIUSdesk wanted to provide more bandwidth to their users between midnight and 7am, as uplink utilization is very low during this time, which can promote more even usage.
  * With these various requirements in mind we formulated the FUP package in RADIUSdesk. 

===== Practical FUP profiles =====
  * To configure the FUP part of a profile, go to **RADIUS** -> **Profiles**.
  * The editing option of a profile contains **FUP**.
<panel type="primary">
{{:radius:profiles:fup_option.png?nolink|}}
</panel>
  * There are two sections for a FUP based profile.
        * The first section specifies the base speed if no restrictions are imposed.
        * The second section contains a list of the FUP restriction components to be applied.

==== Base speed limit - No restrictions imposed  ====
<panel type="primary">
{{:radius:profiles:fup_basic.png?nolink|}}
</panel>

==== FUP Components to be applied ====
<panel type="primary">
{{:radius:profiles:fup_throttle.png?nolink|}}
</panel>
  * In the screenshot above we see two stage throttling.
  * When the user's total usage reaches 100Gb, we halve their bandwidth. (reduction to 50Mb/s)
  * If the user then reaches 200Gb usage, we reduce their bandwidth further. (reduce to 25Mb/s)
  * The FUP component is made up of the following elements.
        * Descriptive name.
        * **If condition**. Options include **Time of day**, **Daily usage**, **Weekly usage**, **Monthly usage**.
        * For **Time of day** there is a start time and an end time.
        * For **data usage** there is a data amount.
        * **Action**. When the trigger is reached, we can **block the data traffic**, **decrease the speed** or **increase the speed**.
        * An optional IP pool to be used when the component is triggered.
    * You can combine different types of FUP components.
    * The logic it applies uses the following rules.
          * Blocking traffic has priority.
          * Components that reduce the speed use the slowest (largest percentage reduction)
          * Components that increase the speed use the slowest (smallest percentage increase)
    * This essentially means that the strictest action of the component is applied.

===== Important points on FUP =====
  * For FUP to work correctly, two important points must be present and working.
==== Timezone setting on RADIUS Client ====
  * To determine the exact start of the day, week or month, the time zone in which a RADIUS client is used must be specified.
  * If this is not the case, it will fall back on the time zone to which the RADIUSdesk installation is set.

==== Ability to disconnect a RADIUS user from RADIUSdesk ====
  * In order for the system to recognize and activate an FUP restriction, it must disconnect an active session of a user.
  * The RADIUS client should then re-authenticate the client to which the restriction is to be applied. (This is the standard procedure for PPPoE connections)

===== Nuts and bolts of FUP =====
  * This section is intended for readers who would like to know how everything works and fits together.
  * When you use the FUP editor for a RADIUS profile, a few things happen behind the scenes.
  * The system creates a profile component with a naming convention that starts with **FupAdd_<profile_id>** and adds this profile component to the profile.
  * This Profile Component contains one or more of the following FreeRADIUS custom check attributes.
<code bash>
ATTRIBUTE Rd-Fup-Bw-Up          3166 integer
ATTRIBUTE Rd-Fup-Bw-Down        3167 integer
ATTRIBUTE Rd-Fup-Comp-Count     3168 integer
ATTRIBUTE Rd-Fup-Profile-Id     3169 integer
ATTRIBUTE Rd-Fup-Burst-Limit    3170 integer
ATTRIBUTE Rd-Fup-Burst-Time     3171 integer
ATTRIBUTE Rd-Fup-Burst-Threshold 3172 integer
ATTRIBUTE Rd-Fup-Ip-Pool        3173 string
</code>
  * FreeRADIUS is configured to use a combination of unlang and a Perl module to formulate the response to an access request that a RADIUS client sends to the FreeRADIUS server.
  * The Perl module searches for all entries in the DB table **profile_fup_components** that are linked to the RADIUS profile.
  * It then attempts to determine which restriction, if any, should be applied.
  * The Perl module can be found in ///etc/freeradius/3.0/mods-config/perl/fup.pl//
  * It establishes a connection to the database and the login information with which the connection to the database is to be established is also specified in this file.
  * If there is an FBD component that is to be applied to a user, we record it in the **applied_fup_components** table.
  * We then run a cron **script cd /var/www/html/cake4/rd_cake && bin/cake fup** that compares the applied FBD component with the currently active FBD component.
  * If they are different, we send a disconnect request to all RADIUS clients for that username (all RADIUS clients the user might be connected to)
  * This should initiate a re-authentication that synchronizes the applied FBD component with the current active FBD component.