Release Notes
8| Implementing Accounting-Based Authorization Amigopod |Technical Note
Diagram 2: Sequence diagram for traffic limited authorization
If the guest has not previously logged in today, or if the guest’s total traffic consumption
for today is less than the configured limit, then the guest is authorized [1] and an Access-
Accept response is sent [2].
To limit the guest’s traffic, if the guest’s total traffic from previous sessions today exceeds
the configured limit (200 MB) then this is determined during the authorization process [3]
and an Access-Reject response will be sent [4].
Because the Amigopod Visitor Management Appliance uses role-based access control for
visitor accounts, the authorization rules above should be defined as part of the role that
the visitor accounts are using; in this example, the role is the “Traffic Limited Guest role”.
Authorization during Accounting-Request
Because of the authorization rules applied at login time, if the guest is able to successfully
log in then it is known at that time that the guest’s current traffic usage is below the
allowed quota.
Once a guest is authorized, then, how are they prevented from consuming more than their
allowed traffic quota?
Guest NAS Amigopod VMA
Submit form
Login Message page
Web login
Automated NAS login
Complete login form
Traffic Limited Guest
l
States:
Unauthorized
Authenticating Authorized
Access-Request
Access-Accept [2]
Authentication
Authorization
[1]
Traffic less than limit
Submit form
Login Message page
Web login
Automated NAS login
Complete login form
Traffic Limited Guest
l
Access-Request
Access-Reject [4]
Authentication
Authorization
[3]
Traffic over limit
Returned to login form