Matthew Carriere wrote:
Thanks Chris.
Yes the Session-Timeout is the value that is set and appears to be sent to the Cisco WLC. Try to verify that, set a logging option on the radius to log the returned data. Enable debug on the cisco and check what it receives or maybe 'sniff' the packets with wireshark (or similar) to see what is on the wire.
The problem is it completely ignores it, If that is the case it is a cisco question and not a freeradius one.
if I refresh and try to re-authenticate it fails, but I still have access. Not sure what you mean here. Either your connected or not, no?
If I log out and then try it fails and I can't access the wireless.
As expected.
It appears that my problem is terminating the session while it is active.
If you have set a session timeout value then after that amount of time has passed, the session should no longer be active. If the session is still active, your Cisco is not honouring the session-timeout and that is a separate issue (as stated above). Chris
Matthew.
On 30-Apr-09, at 12:09 PM, Chris Moules wrote:
Matthew,
I guess you are meaning that the WiFi session on the device is not terminating.
I am not an expert in this area (I have not used the Expiration checks myself) but I guess that the Cisco will not care about this value. I assume that it is not even returned to it (Freeradius internal check value, not a return value?).
You will probably want to look into the Session-Timout (and maybe Idle-Timeout) settings.
If you are using sql you can probably calculate a dynamic Session-Timeout length based on (MySQL lingo) NOW() and the Expiration value. After this time the session (on the cisco) will end and the user may try to re-login. The Expiration time will have passed and so it will fail.
Chirs
Matthew Carriere wrote:
Hi everyone,
I have a CISCO WLC that is configured to use a FreeRadius server as the authentication point.
Everything is working except the Expiration.
I set an Expiration value programatically from a Ruby script by entering a record into the radcheck table:
UserName | Matthew Attribute | Expiration op | := Value | April 29 2009 02:14:48
Here's the scenario,
before the expiration date the user authenticates to the Radius server and then is able to use the Wireless (Cisco WLC). However, when the expiration time passes, the user can no longer authenticate to the radius server (which is correct), but they are still connected to the Wireless.
Does anyone have some experience with this scenario to offer some suggestions to help troubleshoot?
Thanks
Matthew Carriere
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html