Expiration Feature / Session-Timeout Problem

Alan DeKok aland at deployingradius.com
Wed Feb 4 16:40:32 CET 2015

On Feb 4, 2015, at 6:56 AM, Sven <freeradius at fragnet.org> wrote:
> i try to use the Expiration Feature to get control over the Password lifetime of our Users.
> The idea was to set a date maybe 90 Day from last Passwordchange. This worked well, Users got denied but ive tested this feature only with a few Days ahead from now.
> Now i found out that if i set this to more than a Month from now that some of our Devices rejects the Access while i can see in the Radius Log that they where supplied with a Access-Accept.

  That’s easy to fix.  Add this in the post-auth section:

	if (reply:Session-Timeout && (reply:Session-Timeout > 259200)) {
		update reply {
			Session-Timeout := 259200

  That should fix the problem. The user will be disconnected after 30 days, and will reconnect.  Ones who still have valid accounts will get another 30 days of access.

> Maybe there is a better solution to get this "feature" :) Im not sure if the Expiration Feature is the right thing for this task.

  Expiration is the correct thing to use.  The problem is that many NASes are buggy.

  Alan DeKok.

More information about the Freeradius-Users mailing list