-----Original Message----- From: Freeradius-Users <freeradius-users- bounces+per.weisteen=telenor.no@lists.freeradius.org> On Behalf Of Alan DeKok Sent: tirsdag 10. august 2021 16:03 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How do I enforce EAP-TLS re-authentication at regular intervals?
On Aug 10, 2021, at 10:00 AM, Weisteen Per <per.weisteen@telenor.no> wrote:
We're currently deploying numerous devices using 802.1x and EAP-TLS over
wired connections to Cisco switches used as NAS. As of now it seems as if all supplicants are granted indefinite access - well at least until certificate expires.
I've been googling for answers to how I might set a session timeout in
Freeradius enforcing a re-authentication by the supplicants at regular intervals but haven't found a conclusive answer.
Could someone tell if this is a function that may be enforced in Freeradius
(session-timeout ?) or does it have to be enforced by the NAS?
There's a Session-Timeout attribute. Send it to the NAS, and the NAS will enforce it:
post-auth { ... update reply { Session-Timeout := 86400 # force people to re-auth after a day } ... }
Alan DeKok.
Hi I've added the statements to the post-auth in sites-enabled/default file and restarted radiusd. I assume the NAS client will only pick up this next time it contacts Freeradius server or could I somehow force it to ? ./PerW