Dropping NAS-Port AVP from Acct-Unique-Session-Id by default
Nick Lowe
nick.lowe at gmail.com
Fri Sep 18 15:26:34 CEST 2015
Hi Alan,
I meant what RFC 3580 says here. Instructing a NAS to re-authenticate
via a Termination-Action AVP of RADIUS-Request and a Session-Timeout
AVP being supplied in the Access-Accept.
That is entirely decoupled to EAP session resumption.
It is in this case that NASes are observed not sending a Stop and a
Start, which I believe is semantically correct.
3.17. Session-Timeout
When sent along in an Access-Accept without a Termination-Action
attribute or with a Termination-Action attribute set to Default, the
Session-Timeout attribute specifies the maximum number of seconds of
service provided prior to session termination.
When sent in an Access-Accept along with a Termination-Action value
of RADIUS-Request, the Session-Timeout attribute specifies the
maximum number of seconds of service provided prior to re-
authentication. In this case, the Session-Timeout attribute is used
to load the reAuthPeriod constant within the Reauthentication Timer
state machine of 802.1X. When sent with a Termination-Action value
of RADIUS-Request, a Session-Timeout value of zero indicates the
desire to perform another authentication (possibly of a different
type) immediately after the first authentication has successfully
completed.
When sent in an Access-Challenge, this attribute represents the
maximum number of seconds that an IEEE 802.1X Authenticator should
wait for an EAP-Response before retransmitting. In this case, the
Session-Timeout attribute is used to load the suppTimeout constant
within the backend state machine of IEEE 802.1X.
3.19. Termination-Action
This attribute indicates what action should be taken when the service
is completed. The value RADIUS-Request (1) indicates that re-
authentication should occur on expiration of the Session-Time. The
value Default (0) indicates that the session should terminate.
More information about the Freeradius-Users
mailing list