Session-Timeout Problem

Selahattin Cilek selahattin_cilek at
Thu Feb 2 15:26:33 CET 2017

I do not want to turn this into a clash of egos, I just want to understand the problem and solve it.

This is what I want to achieve:
I want to keep user data and statistics in a MySQL database. I want to enforce quota based on the data received by FreeRADIUS 2.2.8 from any NAS.

This is my plan:
The NAS regularly informs FreeRADIUS how much a user has been using the network. FreeRADIUS keeps the data in a MySQL database and regularly checks if the user has reached his quota. When a user reaches his quota, it tells the NAS not to let him use the network. In order to be able to grant or deny access to a user, the NAS is supposed to ask FreeRADIUS at regular intervals what to with the authentication request. The only way the NAS can know about these intervals is through the "Session-Timeout" attribute. At the end of each session, the NAS sends FreeRADIUS a packet that contains data about how much bandwidth the user has consumed. FreeRADIUS commits the to a local MySQL schema, which I have programmed to update some other custom tables through triggers.

This is my problem:
The NAS receives and recognises the "Session-Timeout" attribute. It authenticates the user and starts counting data. A row is inserted into the "radacct" table. At the end of the first session, the row is updated with the fields:
acctsessiontime -> 600 (the same as the Session-Timeout attribute)
acctinputoctets -> whatever the user has uploaded
acctaoutputoctets -> whatever the user has downloaded
acctterminatecause -> Session-Timeout

Then the user is authenticated a second time, and therefore a second row is inserted into the radacct table, with an incremented session ID, of course. But strangely, this session never expires and is never updated through Acct-Interim-Updates attribute. The second session lasts forever; that is, until the user turns off WiFi or shuts down his machine. I believe this explains what happens between the NAS and FreeRADIUS:

SELECT * FROM radacct;
radacctid    acctsessionid        acctuniqueid        username    groupname    realm    nasipaddress    nasportid    nasporttype        acctstarttime        acctstoptime        acctsessiontime        acctauthentic    connectinfo_start    connectinfo_stop    acctinputoctets    acctoutputoctets    calledstationid            callingstationid    acctterminatecause    servicetype    framedprotocol    framedipaddress    acctstartdelay    acctstopdelay    xascendsessionsvrkey

1        5892F172-00000000    06aefeead5872f8f    scilek              0        Wireless-802.11        "2017-02-02 11:45:09"    "2017-02-02 11:55:09"    600            RADIUS        "CONNECT 0Mbps 802.11b"    "CONNECT 0Mbps 802.11b"    34296191    34667792        80-2A-A8-AD-1E-F9:SCILEK.NET    00-22-FA-F5-B9-0A    Session-Timeout                                0        0

2        5892F172-00000001    19d67f917a5dbc29    scilek              0        Wireless-802.11        "2017-02-02 11:55:09"    "2017-02-02 12:25:13"    1804            RADIUS        "CONNECT 0Mbps 802.11b"    "CONNECT 0Mbps 802.11b"    89525790    86476588        80-2A-A8-AD-1E-F9:SCILEK.NET    00-22-FA-F5-B9-0A    User-Request                                0        0

Here are my questions:
Why does the NAS terminate the first session as it is supposed to but not the second one? Who is supposed to inform who when the session is over? Is the NAS supposed to keep track of this and inform FreeRADIUS, or the other way around? Doesn't the idea of FreeRADIUS keeping track of session time and telling the NAS to terminate the user's session go against the design philosophy of RADIUS? Isn't RADIUS only supposed to inform and not enforce? Who is to blame if the session is not terminated when it should? Is there anything I can do with the FreeRADIUS configuration to make that NAS terminate the second session and start the third and so on? Is this a FreeRADIUS configuration issue or is there a bug in the AP firmware?

Thank you all.

[Avast logo] <>

This email has been checked for viruses by Avast antivirus software.<>

More information about the Freeradius-Users mailing list