How do I enforce EAP-TLS re-authentication at regular intervals? (INTERNAL)
Weisteen Per
per.weisteen at telenor.no
Mon Nov 8 14:37:35 CET 2021
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> bounces+per.weisteen=telenor.no at lists.freeradius.org> On Behalf Of Alan
> DeKok
> Sent: tirsdag 10. august 2021 16:03
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: How do I enforce EAP-TLS re-authentication at regular intervals?
>
> On Aug 10, 2021, at 10:00 AM, Weisteen Per <per.weisteen at telenor.no>
> wrote:
> >
> > We're currently deploying numerous devices using 802.1x and EAP-TLS over
> wired connections to Cisco switches used as NAS. As of now it seems as if all
> supplicants are granted indefinite access - well at least until certificate
> expires.
> >
> > I've been googling for answers to how I might set a session timeout in
> Freeradius enforcing a re-authentication by the supplicants at regular
> intervals but haven't found a conclusive answer.
> >
> > Could someone tell if this is a function that may be enforced in Freeradius
> (session-timeout ?) or does it have to be enforced by the NAS?
>
> There's a Session-Timeout attribute. Send it to the NAS, and the NAS will
> enforce it:
>
> post-auth {
> ...
> update reply {
> Session-Timeout := 86400 # force people to re-auth after a
> day
> }
> ...
> }
>
> Alan DeKok.
>
Hi
I've added the statements to the post-auth in sites-enabled/default file and restarted radiusd.
I assume the NAS client will only pick up this next time it contacts Freeradius server or could I somehow force it to ?
./PerW
More information about the Freeradius-Users
mailing list