Traffic shaping based on dynamic RADIUS VSAs

A FortiGate can use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user.

This feature is not supported on NP hardware. NP offloading is automatically disabled on the policy if this feature is enabled.

When a user logs in to two devices through RADIUS authentication. The authentication and authorization flow is as follows:

1. The user logs in to a device and the authentication is sent to the FortiGate.

2. The FortiGate sends the Access-Request message to the RADIUS server.

3. The RADIUS server sends the Access-Accept message to the FortiGate. The server also returns the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs.

4. Based on the VSA values, the FortiGate applies traffic shaping for the upload and download speeds based on its IP.

5. The user logs in to a second device and the authentication is sent to the FortiGate.

6. The FortiGate sends the Access-Request message to the RADIUS server.

7. The RADIUS server sends the Access-Accept message to the FortiGate. The server also returns the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs at half the value from the first device.

8. Based on the VSA values, the FortiGate applies traffic shaping for the upload and download speeds on the second device based on its IP.

9. The RADIUS server sends a CoA message and returns WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs for the first device at half the value.

10. Based on the VSA values, the FortiGate updates traffic shaping for the upload and download speeds on the first device based on its IP.

Example

In this example, the FortiGate is configured to dynamically shape user traffic based on the WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down VSAs returned by the RADIUS server when the user logs in through firewall authentication.

To configure traffic shaping based on dynamic RADIUS VSAs:

1. Configure the RADIUS server users file to identify WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down:

   The WISPr-Bandwidth is measured in bps, and the FortiOS dynamic shaper is measured in Bps.

   WISPr-Bandwidth-Max-Up = 1004857,
   WISPr-Bandwidth-Max-Down = 504857,

2. In FortiOS, configure the RADIUS server:

   config user radius
       edit "rad1"
           set server "172.16.200.44"
           set secret ************
           set radius-coa enable
           set acct-all-servers enable
           config accounting-server
               edit 1
                   set status enable
                   set server "172.16.200.44"
                   set secret ************
               next
           end
       next
   end

3. Configure the RADIUS user group:

   config user group
       edit "group_radius"
           set member "rad1"
       next
   end

4. Configure the firewall policy with dynamic shaping and the RADIUS group:

   config firewall policy
       edit 2
           set srcintf "port2"
           set dstintf "wan1"
           set srcaddr "all"
           set dstaddr "all"
           set srcaddr6 "all6"
           set dstaddr6 "all6"
           set action accept
           set schedule "always"
           set service "ALL"
           set dynamic-shaping enable
           set groups "group_radius"
           set nat enable
       next
   end

Verification

After a client PC is authenticated by the RADIUS server, dynamic shaping is applied to the client based on the IP address.

Use the following commands to monitor the dynamic shaper:

# diagnose firewall shaper dynamic-shaper stats

# diagnose firewall shaper dynamic-shaper list {ip | ipv6 | user} <address or username>

Use case 1

User1 is paying for rate plan A that limits their maximum bandwidth to 10 Mbps download and 5 Mbps upload. User2 is paying for rate plan B that limits their maximum bandwidth to 5 Mbps download and 5 Mbps upload. The speeds in both plans are provided by best effort, so there is no guaranteed minimum bandwidth.

User1 logs in to pc1 with RADIUS authentication and IP-based dynamic shaping is applied. User2 logs in to pc2 with RADIUS authentication and IP-based dynamic shaping is applied.

To verify the dynamic shaping:

1. On pc1, verify the bandwidth and transfer speed:

   root@pc1:~# iperf -c 172.16.200.44 -u -t 25 -b 20M
   ------------------------------------------------------------
   Client connecting to 172.16.200.44, UDP port 5001
   Sending 1470 byte datagrams
   UDP buffer size:  208 KByte (default)
   ------------------------------------------------------------
   [  3] local 10.1.100.11 port 50510 connected with 172.16.200.44 port 5001
   [ ID] Interval       Transfer     Bandwidth
   [  3]  0.0-25.0 sec  59.6 MBytes  20.0 Mbits/sec
   [  3] Sent 42518 datagrams
   [  3] Server Report:
   [  3]  0.0-25.3 sec  30.1 MBytes  9.99 Mbits/sec  15.651 ms 21058/42518 (50%)

2. On pc2, verify the bandwidth and transfer speed:

   root@pc2:~# iperf -c 172.16.200.44 -u -t 25 -b 20M
   ------------------------------------------------------------
   Client connecting to 172.16.200.44, UDP port 5001
   Sending 1470 byte datagrams
   UDP buffer size:  208 KByte (default)
   ------------------------------------------------------------
   [  3] local 10.1.100.22 port 52814 connected with 172.16.200.44 port 5001
   [ ID] Interval       Transfer     Bandwidth
   [  3]  0.0-25.0 sec  59.6 MBytes  20.0 Mbits/sec
   [  3] Sent 42518 datagrams
   [  3] Server Report:
   [  3]  0.0-25.3 sec  15.1 MBytes  5.03 Mbits/sec  15.652 ms 31710/42514 (75%)

3. In FortiOS, check the authentication list:

   # diagnose firewall auth  list                
   10.1.100.11, test-shaper1
           src_mac: **:**:**:**:**:**
           type: fw, id: 0, duration: 38, idled: 16
           expire: 562
           flag(814): hard radius no_idle
           server: rad1
           packets: in 8207 out 3999, bytes: in 12306164 out 226963
           group_id: 3
           group_name: group_radius
   10.1.100.22, test-shaper2
           src_mac: **:**:**:**:**:**
           type: fw, id: 0, duration: 24, idled: 24
           expire: 156, max-life: 35976
           flag(814): hard radius no_idle
           server: rad1
           packets: in 0 out 5, bytes: in 0 out 300
           group_id: 3
           group_name: group_radius
   ----- 2 listed, 0 filtered ------

4. Check the dynamic shaper list:

   # diagnose firewall shaper dynamic-shaper list
   addr: 10.1.100.11
   bandwidth(original/reply): 1250000 Bps/625000 Bps
   current bandwidth(original/reply): 1237072 Bps/0 Bps
   allow packets(original/reply): 38524/14
   allow bytes(original/reply): 55270378/11285
   drop packets(original/reply): 10136/0
   drop bytes(original/reply): 13516198/0
   life: 441
   idle: 0/40
   idle time limit: 600 s
   
   addr: 10.1.100.22
   bandwidth(original/reply): 625000 Bps/625000 Bps
   current bandwidth(original/reply): 622909 Bps/0 Bps
   allow packets(original/reply): 3232/3
   allow bytes(original/reply): 4841536/243
   drop packets(original/reply): 2753/0
   drop bytes(original/reply): 4123994/0
   life: 10
   idle: 0/10
   idle time limit: 36000 s

5. Check the session list:

   # diagnose sys session list
   session info: proto=6 proto_state=05 duration=3 expire=116 timeout=3600 flags=00000004 socktype=4 sockport=10001 av_idx=0 use=4
   origin-shaper=
   reply-shaper=
   per_ip_shaper=
   class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
   state=redir log local may_dirty auth dst-vis f00 dynamic_shaping
   statistic(bytes/packets/allow_err): org=0/0/0 reply=638/4/1 tuples=2
   tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 185/1
   orgin->sink: org pre->post, reply pre->post dev=20->17/17->20 gwy=172.16.200.44/0.0.0.0
   hook=pre dir=org act=noop 10.1.100.22:35561->172.16.200.44:80(0.0.0.0:0)
   hook=post dir=reply act=noop 172.16.200.44:80->10.1.100.22:35561(0.0.0.0:0)
   pos/(before,after) 0/(0,0), 0/(0,0)
   src_mac=**:**:**:**:**:**  dst_mac=**:**:**:**:**:**
   misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=1
   serial=0005994d tos=ff/ff app_list=0 app=0 url_cat=0
   sdwan_mbr_seq=0 sdwan_service_id=0
   rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
   npu_state=0x000001 no_offload
   no_ofld_reason:  redir-to-av auth disabled-by-policy
   
   session info: proto=6 proto_state=05 duration=122 expire=38 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
   origin-shaper=
   reply-shaper=
   per_ip_shaper=
   class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
   user=test-shaper1 auth_server=rad1 state=log may_dirty authed f00 dynamic_shaping acct-ext
   statistic(bytes/packets/allow_err): org=383611/6604/1 reply=26382470/17592/1 tuples=2
   tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
   orgin->sink: org pre->post, reply pre->post dev=20->17/17->20 gwy=172.16.200.44/10.2.2.1
   hook=post dir=org act=snat 10.1.100.11:54140->172.16.200.44:80(172.16.200.2:54140)
   hook=pre dir=reply act=dnat 172.16.200.44:80->172.16.200.2:54140(10.1.100.11:54140)
   pos/(before,after) 0/(0,0), 0/(0,0)
   src_mac=**:**:**:**:**:**  dst_mac=**:**:**:**:**:**
   misc=0 policy_id=2 auth_info=3 chk_client_info=0 vd=1
   serial=000598c5 tos=ff/ff app_list=0 app=0 url_cat=0
   sdwan_mbr_seq=0 sdwan_service_id=0
   rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
   npu_state=0x000001 no_offload
   no_ofld_reason:  disabled-by-policy
   total session 2

6. Check the policy traffic:

   # diagnose firewall iprope list 100004
   policy index=2 uuid_idx=60 action=accept
   flag (8052128): redir auth nat nids_raw master use_src pol_stats
   flag2 (4030): fw wsso resolve_sso
   flag3 (200000b0): !sp link-local best-route dynamic-shaping
   schedule(always)
   cos_fwd=255  cos_rev=255
   group=00100004 av=00004e20 au=00000003 split=00000000
   host=1 chk_client_info=0x1 app_list=0 ips_view=0
   misc=0
   zone(1): 20 -> zone(1): 17
   source(1): 0.0.0.0-255.255.255.255, uuid_idx=32,
   dest(1): 0.0.0.0-255.255.255.255, uuid_idx=32,
   user group(1): 3
   service(1):
           [0:0x0:0/(0,65535)->(0,65535)] helper:auto

Use case 2

A user logs in to a device (pc1, 10.1.100.11 ) and has a maximum bandwidth of 10 Mbps download and 5 Mbps upload. The same user logs in to a second device (pc2, 10.1.100.22) and the RADIUS server sends a CoA request with the WISPr-Bandwidth-Max to pc1. The maximum bandwidth on pc1 changes to 5 Mbps download and 2.5Mbps upload. On pc2, the maximum bandwidth is also 5 Mbps download and 2.5Mbps upload.

When the user logs out from pc1, the RADIUS server sends CoA request with the new WISPr-Bandwidth-Max for pc2. The FortiGate updates the authentication user list and dynamic shaper for pc2. The maximum bandwidth on pc2 changes to 10 Mbps download and 5 Mbps upload.

To verify the dynamic shaping:

1. Check the dynamic shaper list after the user logs in to pc1:

   # diagnose firewall shaper dynamic-shaper list
   addr: 10.1.100.11
   bandwidth(original/reply): 1250000 Bps/625000 Bps
   current bandwidth(original/reply): 0 Bps/0 Bps
   allow packets(original/reply): 0/3
   allow bytes(original/reply): 0/243
   drop packets(original/reply): 0/0
   drop bytes(original/reply): 0/0
   life: 491
   idle: 4/4
   idle time limit: 86400 s

2. Check the dynamic shaper list after the user logs in to pc2:

   # diagnose firewall shaper dynamic-shaper list
   addr: 10.1.100.11
   bandwidth(original/reply): 625000 Bps/312500 Bps
   current bandwidth(original/reply): 0 Bps/0 Bps
   allow packets(original/reply): 0/0
   allow bytes(original/reply): 0/0
   drop packets(original/reply): 0/0
   drop bytes(original/reply): 0/0
   life: 652
   idle: 5/5
   idle time limit: 600 s
   
   addr: 10.1.100.22
   bandwidth(original/reply): 625000 Bps/312500 Bps
   current bandwidth(original/reply): 0 Bps/0 Bps
   allow packets(original/reply): 0/3
   allow bytes(original/reply): 0/243
   drop packets(original/reply): 0/0
   drop bytes(original/reply): 0/0
   life: 3
   idle: 3/3
   idle time limit: 86400 s

3. Check the authentication list:

   # diagnose firewall auth list
   10.1.100.11, test
           src_mac: **:**:**:**:**:**
           type: fw, id: 0, duration: 171, idled: 11
           expire: 589, max-life: 589
           flag(814): hard radius no_idle
           server: rad1
           packets: in 0 out 0, bytes: in 0 out 0
           group_id: 15
           group_name: group_radius
   10.1.100.22, test
           src_mac: **:**:**:**:**:**
           type: fw, id: 0, duration: 9, idled: 9
           expire: 86391
           flag(814): hard radius no_idle
           server: rad1
           packets: in 0 out 0, bytes: in 0 out 0
           group_id: 15
           group_name: group_radius
   ----- 2 listed, 0 filtered ------

4. Check the dynamic shaper list after the user logs out from pc1:

   # diagnose firewall shaper dynamic-shaper list
   addr: 10.1.100.22
   bandwidth(original/reply): 1250000 Bps/625000 Bps
   current bandwidth(original/reply): 0 Bps/0 Bps
   allow packets(original/reply): 0/0
   allow bytes(original/reply): 0/0
   drop packets(original/reply): 0/0
   drop bytes(original/reply): 0/0
   life: 414
   idle: 9/9
   idle time limit: 600 s

5. Check the authentication list again:

   # diagnose firewall auth  list
   10.1.100.22, test
           src_mac: **:**:**:**:**:**
           type: fw, id: 0, duration: 453, idled: 49
           expire: 551, max-life: 551
           flag(814): hard radius no_idle
           server: rad1
           packets: in 0 out 0, bytes: in 0 out 0
           group_id: 15
           group_name: group_radius
   ----- 1 listed, 0 filtered ------