<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hello Tobias,<div><br></div><div>Thank you for your reply.</div><div><br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Not directly (at least not via vici, it might be possible via RADIUS,<br>depending on the RADIUS server).<br></blockquote><div><br></div><div>This is concerning if this wasn't possible. I have FreeRadius 3.0.16, maybe I should explain the use case I'm trying to achieve.</div><div><br></div><div>I have setup a limit by monthly-usage in FreeRadius. Each user can use 10 GB and after that, any attempt to connect to the VPN server fails.</div><div><pre style="background-color:rgb(43,43,43);color:rgb(169,183,198);font-family:Menlo;font-size:9pt"><span style="color:rgb(197,118,51);font-style:italic">echo </span><span style="color:rgb(106,135,89)">'ATTRIBUTE Monthly-Usage 3001 integer64' </span><span style="font-style:italic">>> /etc/freeradius/3.0/dictionary</span></pre></div><div><pre style="background-color:rgb(43,43,43);color:rgb(169,183,198);font-family:Menlo;font-size:9pt"><span style="color:rgb(197,118,51);font-style:italic">sed </span>-i <span style="color:rgb(106,135,89)">'/authorize {/a\<br></span><span style="color:rgb(106,135,89)"> update request {\<br></span><span style="color:rgb(106,135,89)"> Monthly-Usage = "%{sql:SELECT COALESCE((SUM(`acctoutputoctets`)), 0) FROM radacct WHERE `username`='"'"'%{User-Name}'"'"' AND Month(acctupdatetime)=(Month(NOW())) AND Year(acctupdatetime)=Year(NOW())}"\<br></span><span style="color:rgb(106,135,89)"> }\<br></span><span style="color:rgb(106,135,89)">' </span>/etc/freeradius/3.0/sites-enabled/default</pre></div><div><pre style="background-color:rgb(43,43,43);color:rgb(169,183,198);font-family:Menlo;font-size:9pt">INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('houman','Monthly-Usage','<',10000000000);</pre></div><div>This works, however, once the limit has been reached, he continues to remain connected, nothing forces him out. Only if he disconnects and tries to connect again, he would be prevented. I was thinking to check every 5 minutes to see if someone has reached the monthly usage and is still connected to kick him out.</div><div><br></div><div>Do you think that is possible to do via FreeRadius?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">What do you mean? [1] provides an overview and has a link to the<br>README.md file that describes the available commands and even contains<br>simple code examples. The Python bindings are basically a wrapper that<br>provides a convenient interface for these commands.<br></blockquote><div><br></div><div>Ah my bad. I was looking at <a href="https://pypi.org/project/vici/">https://pypi.org/project/vici/</a> but I found more documentation at the github project.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">That returns the configured connections, so that's not really useful to<br>you. More interesting will be the list of established IKE_SAs (s.list_sas). </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">There is no option to filter by remote/user ID, so you have</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">to enumerate the established SAs (list-sa documents the returned<br>information) and check remote-(eap-)id yourself.<br>
<br></blockquote><div><br></div>Perfect. I think the username in Radcheck is the same as the remote-(eap-)id you mentioned. So I have to find a way to filter that within the IKE_SA and then to terminate the IKE_SA itself. Just to be clear there is always a 1:1 relationship between IKE_SA and a user at a time, correct? If I end an IKE_SA, I won't be kicking several users by mistake? It will be only the one user using that? So in other words what I'm trying to achieve is possible with Vici right?<br><br>Many Thanks,<br>Houman</div></div></div></div></div></div></div></div></div></div>