Cisco WLC does not respect the Expiration of a user on Radius server.

Matthew Carriere matthew.carriere at
Thu Apr 30 21:28:25 CEST 2009

Thanks Chris.

Yes the Session-Timeout is the value that is set and appears to be  
sent to the Cisco WLC.

The problem is it completely ignores it, if I refresh and try to re- 
authenticate it fails, but I still have access.

If I log out and then try it fails and I can't access the wireless.

It appears that my problem is terminating the session while it is  


On 30-Apr-09, at 12:09 PM, Chris Moules wrote:

> Matthew,
> I guess you are meaning that the WiFi session on the device is not
> terminating.
> I am not an expert in this area (I have not used the Expiration checks
> myself) but I guess that the Cisco will not care about this value. I
> assume that it is not even returned to it (Freeradius internal check
> value, not a return value?).
> You will probably want to look into the Session-Timout (and maybe
> Idle-Timeout) settings.
> If you are using sql you can probably calculate a dynamic
> Session-Timeout length based on (MySQL lingo) NOW() and the Expiration
> value. After this time the session (on the cisco) will end and the  
> user
> may try to re-login. The Expiration time will have passed and so it  
> will
> fail.
> Chirs
> Matthew Carriere wrote:
>> Hi everyone,
>> I have a CISCO WLC that is configured to use a FreeRadius server as  
>> the
>> authentication point.
>> Everything is working except the Expiration.
>> I set an Expiration value programatically from a Ruby script by  
>> entering
>> a record into the radcheck table:
>> UserName | Matthew
>> Attribute | Expiration
>> op | :=
>> Value | April 29 2009 02:14:48
>> Here's the scenario,
>> before the expiration date the user authenticates to the Radius  
>> server
>> and then is able to use the Wireless (Cisco WLC). However, when the
>> expiration time passes, the user can no longer authenticate to the
>> radius server (which is correct), but they are still connected to the
>> Wireless.
>> Does anyone have some experience with this scenario to offer some
>> suggestions to help troubleshoot?
>> Thanks
>> Matthew Carriere
>> -
>> List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Devel mailing list