How to enable the "Session-Timeout" attribute?
zhengfish
zhengfish at gmail.com
Thu Feb 25 07:56:02 CET 2016
Hello,
I want to enable the Session-Timeout attribute, and add it into
/etc/freeradius/users as below:
friends Cleartext-Password := "12343333"
Service-Type = Framed-User,
Session-timeout = 80,
Reply-Message = "Welcome, %{User-Name}"
Then I can test it with radeapclient and got a result with
Session-Timeout value.
Next I want to connect hostapd to freeradius as a radius client,
however I cannot get a result with Session-Timeout value.
I do some tcpdump to parse the RADIUS udp packet, I found that there
is a Session-Timeout attribute in early "Access-Challenge" packets,
however in later "Access-Challenge" packets and the last
"Access-Accept", the Session-Timeout attribute disappear.
Why?
I want to know how to enable Session-Timeout attribute in last
"Access-Accept" packet.
------------------------------------ Here is the decoded UDP-1812
packets -----------------------------------------------------
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////// There is a AVP: Session-Timeout: 80
RADIUS Protocol
Code: Access-Challenge (11)
Packet identifier: 0x65 (101)
Length: 110
Authenticator: 513ca93d5b2fe694852edad5796e873f
[This is a response to a request in frame 1]
[Time from request: 0.000964000 seconds]
Attribute Value Pairs
AVP: l=6 t=Service-Type(6): Framed(2)
Service-Type: Framed (2)
AVP: l=6 t=Session-Timeout(27): 80
Session-Timeout: 80
AVP: l=18 t=Reply-Message(18): Welcome, friends
Reply-Message: Welcome, friends
AVP: l=24 t=EAP-Message(79) Last Segment[1]
EAP fragment: 019a00160410aa40b4b2c24e6e447f48c1de9530e45c
Extensible Authentication Protocol
Code: Request (1)
Id: 154
Length: 22
Type: MD5-Challenge EAP (EAP-MD5-CHALLENGE) (4)
[Expert Info (Warn/Security): Vulnerable to MITM
attacks. If possible, change EAP type.]
[Vulnerable to MITM attacks. If possible,
change EAP type.]
[Severity level: Warn]
[Group: Security]
EAP-MD5 Value-Size: 16
EAP-MD5 Value: aa40b4b2c24e6e447f48c1de9530e45c
AVP: l=18 t=Message-Authenticator(80): eb392ef543cf61e13c6e58bcaed46577
Message-Authenticator: eb392ef543cf61e13c6e58bcaed46577
AVP: l=18 t=State(24): b5d32c27b54928e8e6f7137e05697f5e
State: b5d32c27b54928e8e6f7137e05697f5e
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////// There is no AVP: Session-Timeout, and why it disappear?
RADIUS Protocol
Code: Access-Challenge (11)
Packet identifier: 0x67 (103)
Length: 1090
Authenticator: cb2585fb656ee2f714fb5425ec4e6527
[This is a response to a request in frame 5]
[Time from request: 0.004675000 seconds]
Attribute Value Pairs
AVP: l=255 t=EAP-Message(79) Segment[1]
EAP fragment: 019c040019c00000045c1603010039020000350301e7a203...
AVP: l=255 t=EAP-Message(79) Segment[2]
EAP fragment: f8536db5bc4ebf41cdcdbdaf51935045343680b0104d1b8f...
AVP: l=255 t=EAP-Message(79) Segment[3]
EAP fragment: 0d06092a864886f70d01010b05000382010100daebd2a23e...
AVP: l=255 t=EAP-Message(79) Segment[4]
EAP fragment: f93c85f6c573803c63a809ed50872b35472336d5b30f1603...
AVP: l=14 t=EAP-Message(79) Last Segment[5]
EAP fragment: f46d3040cff8f0ac356b4d90
Extensible Authentication Protocol
Code: Request (1)
Id: 156
Length: 1024
Type: Protected EAP (EAP-PEAP) (25)
EAP-TLS Flags: 0xc0
1... .... = Length Included: True
.1.. .... = More Fragments: True
..0. .... = Start: False
.... .000 = Version: 0
EAP-TLS Length: 1116
[2 EAP-TLS Fragments (1116 bytes): #6(1014), #8(102)]
[Frame: 6, payload: 0-1013 (1014 bytes)]
[Frame: 8, payload: 1014-1115 (102 bytes)]
[Fragment Count: 2]
[Reassembled EAP-TLS Length: 1116]
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 57
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 53
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: Feb 22, 2093
23:22:25.000000000 China Standard Time
Random Bytes:
608ccc8b12dc4d965050630f0f439ea9bdae18141a97a288...
Session ID Length: 0
Cipher Suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Compression Method: null (0)
Extensions Length: 13
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format:
ansiX962_compressed_prime (1)
EC point format:
ansiX962_compressed_char2 (2)
TLSv1 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 704
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 700
Certificates Length: 697
Certificates (697 bytes)
Certificate Length: 694
Certificate:
308202b23082019aa003020102020900dcb8917524af35a0...
(id-at-commonName=ubuntu)
signedCertificate
version: v3 (2)
serialNumber: -2542122057337981536
signature (sha256WithRSAEncryption)
Algorithm Id:
1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 1 item
(id-at-commonName=ubuntu)
RDNSequence item: 1
item (id-at-commonName=ubuntu)
RelativeDistinguishedName item (id-at-commonName=ubuntu)
Id: 2.5.4.3
(id-at-commonName)
DirectoryString: printableString (1)
printableString: ubuntu
validity
notBefore: utcTime (0)
utcTime: 14-07-24 08:10:04 (UTC)
notAfter: utcTime (0)
utcTime: 24-07-21 08:10:04 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item
(id-at-commonName=ubuntu)
RDNSequence item: 1
item (id-at-commonName=ubuntu)
RelativeDistinguishedName item (id-at-commonName=ubuntu)
Id: 2.5.4.3
(id-at-commonName)
DirectoryString: printableString (1)
printableString: ubuntu
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id:
1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey:
3082010a0282010100e856b7f9bb7b62f9392a07c95cf88c...
extensions: 1 item
Extension (id-ce-basicConstraints)
Extension Id:
2.5.29.19 (id-ce-basicConstraints)
BasicConstraintsSyntax
[0 length]
algorithmIdentifier
(sha256WithRSAEncryption)
Algorithm Id:
1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted:
daebd2a23ef9eaa63ddbcc2e15c6e989d0cdeeca59b9284d...
TLSv1 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 331
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 327
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey:
04c14aa367d5908392067e94509943044f585b4fb6f5f114...
Signature Length: 256
Signature:
2282fe1506f827e574054f7faea4830bf6cc651c598e070e...
TLSv1 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
AVP: l=18 t=Message-Authenticator(80): f6c1655b8f0daf6211be63b8512e3674
Message-Authenticator: f6c1655b8f0daf6211be63b8512e3674
AVP: l=18 t=State(24): b5d32c27b74f35e8e6f7137e05697f5e
State: b5d32c27b74f35e8e6f7137e05697f5e
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////// This is the last Access-Accept Packet, no "Session-Timeout"
RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0x6e (110)
Length: 169
Authenticator: d91a7b3eb51f9603cb77c7b4ec81a9c8
[This is a response to a request in frame 19]
[Time from request: 0.000736000 seconds]
Attribute Value Pairs
AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=52 t=MS-MPPE-Recv-Key(17):
825135d40982501e28a6937e32a17dd647d73ed1e6da099f...
MS-MPPE-Recv-Key:
825135d40982501e28a6937e32a17dd647d73ed1e6da099f...
AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=52 t=MS-MPPE-Send-Key(16):
8f794639cd3defeb9d0528fb98a5e8c4ea98b7bab29a7eb7...
MS-MPPE-Send-Key:
8f794639cd3defeb9d0528fb98a5e8c4ea98b7bab29a7eb7...
AVP: l=6 t=EAP-Message(79) Last Segment[1]
EAP fragment: 03a20004
Extensible Authentication Protocol
Code: Success (3)
Id: 162
Length: 4
AVP: l=18 t=Message-Authenticator(80): a8628059998e6599571d318fc1db6d9f
Message-Authenticator: a8628059998e6599571d318fc1db6d9f
AVP: l=9 t=User-Name(1): friends
User-Name: friends
More information about the Freeradius-Users
mailing list