Cisco WLC does not respect the Expiration of a user on Radius server.

Chris Moules chris at
Thu Apr 30 21:09:15 CEST 2009


I guess you are meaning that the WiFi session on the device is not

I am not an expert in this area (I have not used the Expiration checks
myself) but I guess that the Cisco will not care about this value. I
assume that it is not even returned to it (Freeradius internal check
value, not a return value?).

You will probably want to look into the Session-Timout (and maybe
Idle-Timeout) settings.

If you are using sql you can probably calculate a dynamic
Session-Timeout length based on (MySQL lingo) NOW() and the Expiration
value. After this time the session (on the cisco) will end and the user
may try to re-login. The Expiration time will have passed and so it will


Matthew Carriere wrote:
> Hi everyone,
> I have a CISCO WLC that is configured to use a FreeRadius server as the
> authentication point.
> Everything is working except the Expiration.
> I set an Expiration value programatically from a Ruby script by entering
> a record into the radcheck table:
> UserName | Matthew
> Attribute | Expiration
> op | :=
> Value | April 29 2009 02:14:48
> Here's the scenario,
> before the expiration date the user authenticates to the Radius server
> and then is able to use the Wireless (Cisco WLC). However, when the
> expiration time passes, the user can no longer authenticate to the
> radius server (which is correct), but they are still connected to the
> Wireless.
> Does anyone have some experience with this scenario to offer some
> suggestions to help troubleshoot?
> Thanks
> Matthew Carriere
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Devel mailing list