Access-challenge timeout on IOS

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at
Thu Jul 4 16:50:47 CEST 2013

I'll give it a go. Thanks for the information guys. The cisco attribute
list says
Session-Timeout : Sets the maximum number of seconds of service to be
provided to the user before the session terminates. This attribute value
becomes the per-user "absolute timeout."
Not that helpful, and why I discarded it as an option which might be
useful. Let's see..

-----Original Message-----
From: at
[ at lists.freeradiu] On Behalf Of Phil Mayers
Sent: 04 July 2013 15:28
To: freeradius-users at
Subject: Re: Access-challenge timeout on IOS

On 04/07/13 14:34, David Mitton wrote:
> Quoting Phil Mayers <p.mayers at>:
>> On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote:
>>> Hi,
> ....
>>> Session-timeout and Idle-timeout are attributes mentioned by the 
>>> cisco docs but neither of these seem to be what I'm after.
>> Neither are relevant; they're for established sessions, not timeouts 
>> in
>> *establishing* one.
>> -
> Actually, that is incorrect Session-Timeout _is_ used to control the 
> authentication timeout, when in the initial AccReq.  I'd quote the 
> RFC, but I'm not at home.  The *-Timeouts in the Acc-Accept control
the session.

Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869.

However - does any equipment actually *honour* this? Also, I note the
wording is very loose indeed - no MUST.
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list