Brian Chandler wrote:
However, I would point out that there are much better ways of achieving your goal than kicking off users every 10 minutes, which is highly disruptive.
This is something I've been wondering and wishing for the time/motivation to look into. It's not necessarily incumbent on the NAS to kill the client's connection *before* the re-auth as long as they will definitely kill it without a successful reauth and they make the Session-Timeout deadline; some NAS vendors may have used the wiggle room here to keep the client traffic flowing during the re-authentication and on a success just keep them working. Surveying that behavior across popular NAS units would be interesting. But, that does not necessarily mean even when attached to those products that clients will play ball... so before even that, surveying which clients might perform a hitless reauth (both during EAP, and during DHCP if it is triggered) or measuring the magnitude of the hit would be the better first step. Also there is EAP-ERP (RFC 5296/6696) to streamline such behavior; I haven't gone digging to see if any products claim support for it.