Dropping NAS-Port AVP from Acct-Unique-Session-Id by default
nick.lowe at gmail.com
Fri Sep 18 15:26:34 CEST 2015
I meant what RFC 3580 says here. Instructing a NAS to re-authenticate
via a Termination-Action AVP of RADIUS-Request and a Session-Timeout
AVP being supplied in the Access-Accept.
That is entirely decoupled to EAP session resumption.
It is in this case that NASes are observed not sending a Stop and a
Start, which I believe is semantically correct.
When sent along in an Access-Accept without a Termination-Action
attribute or with a Termination-Action attribute set to Default, the
Session-Timeout attribute specifies the maximum number of seconds of
service provided prior to session termination.
When sent in an Access-Accept along with a Termination-Action value
of RADIUS-Request, the Session-Timeout attribute specifies the
maximum number of seconds of service provided prior to re-
authentication. In this case, the Session-Timeout attribute is used
to load the reAuthPeriod constant within the Reauthentication Timer
state machine of 802.1X. When sent with a Termination-Action value
of RADIUS-Request, a Session-Timeout value of zero indicates the
desire to perform another authentication (possibly of a different
type) immediately after the first authentication has successfully
When sent in an Access-Challenge, this attribute represents the
maximum number of seconds that an IEEE 802.1X Authenticator should
wait for an EAP-Response before retransmitting. In this case, the
Session-Timeout attribute is used to load the suppTimeout constant
within the backend state machine of IEEE 802.1X.
This attribute indicates what action should be taken when the service
is completed. The value RADIUS-Request (1) indicates that re-
authentication should occur on expiration of the Session-Time. The
value Default (0) indicates that the session should terminate.
More information about the Freeradius-Users