On May 30, 2022, at 4:08 AM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
I am trying to figure out how to disconnect a user using the originate-coa and update disconnect{} using FreeRADIUS 3.0.21 on Debian 11. Sorry if it seems a bit stupid, but I am really confused and frustrated...
Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed.
Nothing in the documentation says that's what happens. Unfortunately, the users session is 100% controlled by the NAS. Including disconnection timers. The Login-Time attribute causes FreeRADIUS to send a Session-Timeout to the NAS. Read the debug output to see this. The NAS should disconnect the user after that timeout period has expired. If it doesn't (and it's not a toy RADIUS client), then the NAS is broken. Throw it in the garbage, and get one which works properly. i..e. the server doesn't need to send a disconnect packet. You don't need to configure anything special. Just send "Session-Timeout = 3600", and the user is magically kicked offline an hour later.
Is this the correct way to forcibly disconnect the user using originate-coa?
No.
Sorry again if the following question may be a bit stupid, but what is the recommended place in the virtual server (except pre- or post-proxy) to put update coa{} or update disconnect{}?
Wherever you want, and where it works. This is where most people get confused with FreeRADIUS. They have a mental model of the configuration files as "configure this setting, and FreeRADIUS will do what I want". That isn't the way it works. The FreeRADIUS configuration policies (unlang) are a programming language intended for packet processing. WHEN i receive a packet containing X, SEND a reply containing Y So the question of "where do I put the update coa", is really "at which point in the processing did I decide that the user needs to be disconnected". That's where the "update coa" goes. Alan DeKok.