Session-Timeout Problem

Brian Candler b.candler at pobox.com
Thu Feb 2 11:45:29 CET 2017


On 02/02/2017 09:24, Selahattin Cilek wrote:
> When I set the "Session-Timeout := 600" for
> a user, the NAS is supposed to renew the session every 10 minutes. My
> Unifi AP recognises the attribute and actually DOES terminate the first
> session when it times out after 10 minutes. The problem is that it
> terminates only the first session, the second session lasts until the
> NAS reboots, the user logs out or shuts down the host. This means a user
> could exceed his quota if he keeps his wireless connection alive. There
> are some users that exceed their 7GB weekly quota by 6 GBs! Should I
> blame the AP firmware for this or is it a bug in FreeRADIUS 2.2.8?

That's very easy to determine. Use tcpdump / wireshark / radsniff to 
capture all the response from FreeRADIUS.

- If FreeRADIUS *is* sending the Session-Timeout every time, then the 
bug is in the access point.

- If FreeRADIUS *isn't* sending the Session-Timeout attribute sometimes, 
then the bug is in FreeRADIUS (or the way you have configured it)

However, I would point out that there are much better ways of achieving 
your goal than kicking off users every 10 minutes, which is highly 
disruptive.

1. Use Radius Accounting to measure how much traffic users are using 
(with Interim-Accounting you will get periodic updates). Then kick the 
user off when the user reaches the download limit.

Unifi provides an HTTP/JSON API to do this. This shell script shows how 
to use it:

https://www.ubnt.com/downloads/unifi/5.3.11/unifi_sh_api

"unifi_reconnect_sta" will kick off the user, to force them to 
reauthenticate.

2. The Unifi controller's mongodb database tracks how much bandwidth 
every user has consumed. So you could just periodically query that and 
kick off the abusers.

3. Use the Unifi's built-in bandwidth control features (User Groups / 
bandwidth limits). That's at the level of kbps not total GB per week.  
Still, people who have exceeded their quota could have a very low 
bandwidth limit applied.

Regards,

Brian.



More information about the Freeradius-Users mailing list