By Art Reisman, CTO, www.netequalizer.com
The problem statement: You have in place an authentication service such as Radius, LDAP, or Active Directory, and now you want to implement some form of class of service per customer. For example, data usage limits (quotas) or bandwidth speed restriction per user. To do so, you’ll need to integrate your authentication device with an enforcement device, typically a bandwidth controller.
There are products out there such as Nomadix that do both (authentication and rate limiting), but most authentication devices are not turn-key when it comes to a mechanism to set rate limits.
Your options are:
1) You can haggle your way through various forums that give advice on setting rate limits with AD,
2) Or you can embark on a software integration project using a consultant to accomplish your bandwidth restrictions.
In an effort to help customers appreciate and understand what goes into such an integration, I have shared notes that I have used as starting point when synchronizing our NetEqualizer with Radius.
1) Start by developing (borrowing if you can) a generic abstract interface (middle ware) that is not specific to Active Dircectory, LDAP or Radius. Keep it clean and basic so as not to tie your solution to any specific authentication server. The investment in a middle ware interface is well worth the upfront cost. By using a middle layer you will avoid a messy divorce of your authentication system from your bandwidth controller should the need arise.
2) Chances are your bandwidth controller speaks IP, and your AD device speaks user name. So you’ll need to understand how your AD can extract IP addresses from user names and send them down to your bandwidth controller.
3) Your bandwidth controller will need a list of IP’s or MAC addresses , and their committed bandwidth rates. It will need to get this information from your authentication database.
5) On a cold start, you’ll need to make bandwidth controller aware of all active users, and perhaps during the initial synchronization, you may want to pace yourself so as to not bog down your authentication controller with a million requests on start-up.
6) Once the bandwidth controller has an initial list of users on board, you’ll need to have a back ground re-synch (audit) mechanism to make sure all the rate limits and associated IP addresses are current.
7) What to do if the bandwidth controller senses traffic from an IP that it is unaware of? You’ll need a default guest rate limit of some kind for unknown IP addresses. Perhaps you’ll want the bandwidth controller to deny service to unknown IPs?
8) Don’t forget to put a timeout on requests from the bandwidth controller to the authentication device.