How do I enforce EAP-TLS re-authentication at regular intervals?
Hi We're currently deploying numerous devices using 802.1x and EAP-TLS over wired connections to Cisco switches used as NAS. As of now it seems as if all supplicants are granted indefinite access - well at least until certificate expires. I've been googling for answers to how I might set a session timeout in Freeradius enforcing a re-authentication by the supplicants at regular intervals but haven't found a conclusive answer. Could someone tell if this is a function that may be enforced in Freeradius (session-timeout ?) or does it have to be enforced by the NAS? ./PerW
On Aug 10, 2021, at 10:00 AM, Weisteen Per <per.weisteen@telenor.no> wrote:
We're currently deploying numerous devices using 802.1x and EAP-TLS over wired connections to Cisco switches used as NAS. As of now it seems as if all supplicants are granted indefinite access - well at least until certificate expires.
I've been googling for answers to how I might set a session timeout in Freeradius enforcing a re-authentication by the supplicants at regular intervals but haven't found a conclusive answer.
Could someone tell if this is a function that may be enforced in Freeradius (session-timeout ?) or does it have to be enforced by the NAS?
There's a Session-Timeout attribute. Send it to the NAS, and the NAS will enforce it: post-auth { ... update reply { Session-Timeout := 86400 # force people to re-auth after a day } ... } Alan DeKok.
hi, you can send a session-timeout from FreeRADIUS - but its up to the NAS to accept and enforce that. you should also be able to configure your switches in the 802.1X dot1x settings (I believe this is now port based rather than global on all IOS switches dot1x timeout reauth-period but you need to run dot1x reauthentication to activate/enable that more help here
dot1x timeout ?
alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Weisteen Per