update-disconnect and originate-coa

Antonios Kalkakos akalkakos at hotmail.com
Tue May 31 10:25:49 UTC 2022 

Fortunately my NAS respects the Session-Timeout :)
Matthew and Alan thank you very much for your clarifications!

On 30/05/2022 16:22, Alan DeKok wrote:
> On May 30, 2022, at 4:08 AM, Antonios Kalkakos <akalkakos at hotmail.com> wrote:
>> I am trying to figure out how to disconnect a user using the originate-coa and update disconnect{} using FreeRADIUS 3.0.21 on Debian 11. Sorry if it seems a bit stupid, but I am really confused and frustrated...
>>
>> Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed.
> 
>    Nothing in the documentation says that's what happens.
> 
>    Unfortunately, the users session is 100% controlled by the NAS.  Including disconnection timers.  The Login-Time attribute causes FreeRADIUS to send a Session-Timeout to the NAS.  Read the debug output to see this.
> 
>    The NAS should disconnect the user after that timeout period has expired.  If it doesn't (and it's not a toy RADIUS client), then the NAS is broken.  Throw it in the garbage, and get one which works properly.
> 
>    i..e. the server doesn't need to send a disconnect packet.  You don't need to configure anything special.  Just send "Session-Timeout = 3600", and the user is magically kicked offline an hour later.
> 
>> Is this the correct way to forcibly disconnect the user using originate-coa?
> 
>    No.
> 
>> Sorry again if the following question may be a bit stupid, but what is the recommended place in the virtual server (except pre- or post-proxy) to put update coa{} or update disconnect{}?
> 
>    Wherever you want, and where it works.
> 
>    This is where most people get confused with FreeRADIUS.  They have a mental model of the configuration files as "configure this setting, and FreeRADIUS will do what I want".  That isn't the way it works.
> 
>    The FreeRADIUS configuration policies (unlang) are a programming language intended for packet processing.
> 
> 	WHEN i receive a packet containing X,
> 	SEND a reply containing Y
> 
>    So the question of "where do I put the update coa", is really "at which point in the processing did I decide that the user needs to be disconnected".  That's where the "update coa" goes.
> 
>    Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list