Session-Timeout Problem

Brian Julin BJulin at clarku.edu
Thu Feb 2 16:39:43 CET 2017



Brian Chandler wrote:

> However, I would point out that there are much better ways of achieving
> your goal than kicking off users every 10 minutes, which is highly
> disruptive.

This is something I've been wondering and wishing for the time/motivation
to look into.

It's not necessarily incumbent on the NAS to kill the client's connection
*before* the re-auth as long as they will definitely kill it without a successful
reauth and they make the Session-Timeout deadline; some NAS vendors may
have used the wiggle room here to keep the client traffic flowing during the
re-authentication and on a success just keep them working.  Surveying that
behavior across popular NAS units would be interesting.

But, that does not necessarily mean even when attached to those products
that clients will play ball... so before even that, surveying which clients might
perform a hitless reauth (both during EAP, and during DHCP if it is triggered)
or measuring the magnitude of the hit would be the better first step.

Also there is EAP-ERP (RFC 5296/6696) to streamline such behavior;
I haven't gone digging to see if any products claim support for it.



More information about the Freeradius-Users mailing list