Cisco WLC does not respect the Expiration of a user on Radius server.

Chris Moules chris at gms.lu
Thu Apr 30 21:09:15 CEST 2009


Matthew,

I guess you are meaning that the WiFi session on the device is not
terminating.

I am not an expert in this area (I have not used the Expiration checks
myself) but I guess that the Cisco will not care about this value. I
assume that it is not even returned to it (Freeradius internal check
value, not a return value?).

You will probably want to look into the Session-Timout (and maybe
Idle-Timeout) settings.

If you are using sql you can probably calculate a dynamic
Session-Timeout length based on (MySQL lingo) NOW() and the Expiration
value. After this time the session (on the cisco) will end and the user
may try to re-login. The Expiration time will have passed and so it will
fail.

Chirs

Matthew Carriere wrote:
> Hi everyone,
> 
> I have a CISCO WLC that is configured to use a FreeRadius server as the
> authentication point.
> 
> Everything is working except the Expiration.
> 
> I set an Expiration value programatically from a Ruby script by entering
> a record into the radcheck table:
> 
> UserName | Matthew
> Attribute | Expiration
> op | :=
> Value | April 29 2009 02:14:48
> 
> Here's the scenario,
> 
> before the expiration date the user authenticates to the Radius server
> and then is able to use the Wireless (Cisco WLC). However, when the
> expiration time passes, the user can no longer authenticate to the
> radius server (which is correct), but they are still connected to the
> Wireless.
> 
> Does anyone have some experience with this scenario to offer some
> suggestions to help troubleshoot?
> 
> Thanks
> 
> Matthew Carriere
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
> 




More information about the Freeradius-Devel mailing list