Forced Reauthentication
Hello, I'm trying to force reauthentication of my strongswan IPSec clients where EAP-TLS is being used, but nothing seems to work. Now, this is something that I would like to do on a per-client basis, so I'm modifying the session-timeout attribute of the access-accept packet to include my new session time. This insertion is performed from JRADIUS, where it is called in the post-auth stage. All of this appears to be working since the FreeRADIUS output prints out the new session-timeout value along with the other access-accept data when it sends the access-accept packet. I have also tried to globally set the session-timeout by including it in the FreeRADIUS users file, but none of these methods seem to work. Is anyone aware of a way to force a connecting client to reauthenticate? Am I missing something with the methods I've tried thus far? Lester Houston 111 Boeing Research & Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-iii@boeing.com 314-234-0621
On Wed, Dec 7, 2011 at 5:31 AM, Houston-III, Lester L <lester.l.houston-iii@boeing.com> wrote:
Hello,
I’m trying to force reauthentication of my strongswan IPSec clients where EAP-TLS is being used, but nothing seems to work. Now, this is something that I would like to do on a per-client basis, so I’m modifying the session-timeout attribute of the access-accept packet to include my new session time.
Does the NAS (strongswan?) support session-timeout? If you don't know, ask its support/forum/list. It's unlikely that you'll find the answer here.
This insertion is performed from JRADIUS, where it is called in the post-auth stage.
Why would you need jradius? why not just use an unlang block in freeradius? update reply { ... } -- Fajar
I will ask the strongswan folks. JRADIUS is used for some other post authentication processing that determines whether the user truly granted or denied access to the system. -----Original Message----- From: freeradius-users-bounces+lester.l.houston-iii=boeing.com@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing.com@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Tuesday, December 06, 2011 6:40 PM To: FreeRadius users mailing list Subject: Re: Forced Reauthentication On Wed, Dec 7, 2011 at 5:31 AM, Houston-III, Lester L <lester.l.houston-iii@boeing.com> wrote:
Hello,
I'm trying to force reauthentication of my strongswan IPSec clients where EAP-TLS is being used, but nothing seems to work. Now, this is something that I would like to do on a per-client basis, so I'm modifying the session-timeout attribute of the access-accept packet to include my new session time.
Does the NAS (strongswan?) support session-timeout? If you don't know, ask its support/forum/list. It's unlikely that you'll find the answer here.
This insertion is performed from JRADIUS, where it is called in the post-auth stage.
Why would you need jradius? why not just use an unlang block in freeradius? update reply { ... } -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Fajar A. Nugraha -
Houston-III, Lester L