Cisco WLC does not respect the Expiration of a user on Radius server.

Chris Moules chris at gms.lu
Thu Apr 30 21:59:50 CEST 2009 

Matthew Carriere wrote:
> Thanks Chris.
> 
> Yes the Session-Timeout is the value that is set and appears to be sent
> to the Cisco WLC.
Try to verify that, set a logging option on the radius to log the
returned data. Enable debug on the cisco and check what it receives or
maybe 'sniff' the packets with wireshark (or similar) to see what is on
the wire.

> The problem is it completely ignores it,
If that is the case it is a cisco question and not a freeradius one.

> if I refresh and try to
> re-authenticate it fails, but I still have access.
Not sure what you mean here. Either your connected or not, no?

> 
> If I log out and then try it fails and I can't access the wireless.
As expected.

> 
> It appears that my problem is terminating the session while it is active.
If you have set a session timeout value then after that amount of time
has passed, the session should no longer be active. If the session is
still active, your Cisco is not honouring the session-timeout and that
is a separate issue (as stated above).

Chris

> 
> Matthew.
> 
> On 30-Apr-09, at 12:09 PM, Chris Moules wrote:
> 
>> Matthew,
>>
>> I guess you are meaning that the WiFi session on the device is not
>> terminating.
>>
>> I am not an expert in this area (I have not used the Expiration checks
>> myself) but I guess that the Cisco will not care about this value. I
>> assume that it is not even returned to it (Freeradius internal check
>> value, not a return value?).
>>
>> You will probably want to look into the Session-Timout (and maybe
>> Idle-Timeout) settings.
>>
>> If you are using sql you can probably calculate a dynamic
>> Session-Timeout length based on (MySQL lingo) NOW() and the Expiration
>> value. After this time the session (on the cisco) will end and the user
>> may try to re-login. The Expiration time will have passed and so it will
>> fail.
>>
>> Chirs
>>
>> Matthew Carriere wrote:
>>> Hi everyone,
>>>
>>> I have a CISCO WLC that is configured to use a FreeRadius server as the
>>> authentication point.
>>>
>>> Everything is working except the Expiration.
>>>
>>> I set an Expiration value programatically from a Ruby script by entering
>>> a record into the radcheck table:
>>>
>>> UserName | Matthew
>>> Attribute | Expiration
>>> op | :=
>>> Value | April 29 2009 02:14:48
>>>
>>> Here's the scenario,
>>>
>>> before the expiration date the user authenticates to the Radius server
>>> and then is able to use the Wireless (Cisco WLC). However, when the
>>> expiration time passes, the user can no longer authenticate to the
>>> radius server (which is correct), but they are still connected to the
>>> Wireless.
>>>
>>> Does anyone have some experience with this scenario to offer some
>>> suggestions to help troubleshoot?
>>>
>>> Thanks
>>>
>>> Matthew Carriere
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/devel.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/devel.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
>

More information about the Freeradius-Devel mailing list