How do I enforce EAP-TLS re-authentication at regular intervals?

Alan DeKok aland at deployingradius.com
Tue Aug 10 16:03:28 CEST 2021


On Aug 10, 2021, at 10:00 AM, Weisteen Per <per.weisteen at telenor.no> wrote:
> 
> We're currently deploying numerous devices using 802.1x and EAP-TLS over wired connections to Cisco switches used as NAS. As of now it seems as if all supplicants are granted indefinite access - well at least until certificate expires. 
> 
> I've been googling for answers to how I might set a session timeout in Freeradius enforcing a re-authentication by the supplicants at regular intervals but haven't found a conclusive answer. 
> 
> Could someone tell if this is a function that may be enforced in Freeradius (session-timeout ?) or does it have to be enforced by the NAS? 

  There's a Session-Timeout attribute.  Send it to the NAS, and the NAS will enforce it:

post-auth {
	...
	update reply {
		Session-Timeout := 86400  # force people to re-auth after a day
	}
	...
}

  Alan DeKok.




More information about the Freeradius-Users mailing list