On 03/02/2017 08:40, Selahattin Cilek wrote:
It is possible to inject the Session-Timeout attribute into Account Request packets? If yes, how?
The Session-Timeout is an instruction *from* the RADIUS server *to* the NAS, telling the NAS how long it is allowed to leave the user connected. That's why it goes in Access-Accept. There's no particular reason for the Session-Timeout to be included in the Accounting-Request. RFC2866 does allow it, but it would be a for information only ("I have been told to disconnect the user after they have been online for X seconds") For one last time, here's how it works. 1. NAS sends Access-Request. << at this point, for EAP there's a series of Access-Challenge/Access-Response exchanges >> 2. RADIUS server sends Access-Accept containing Session-Timeout (see RFC2865 section 5.27 and 5.44) 3. NAS grants access to the user and starts a timer. 4. NAS sends Accounting-Request (Start). It may also subsequently send Accounting-Request (Interim-Update) periodically. 5. NAS disconnects the user after the time given in Session-Timeout has expired. 6. NAS sends Accounting-Request (Stop). 7. Go back to step 1 In steps 4 and 6, the RADIUS server confirms receipt of the Accounting-Request messages with Accounting-Response messages, but those contain no content. There are no other RADIUS messages involved.