Wireless (General)

 View Only
  • 1.  Wireless Radius disconnect

    Posted 11-12-2013 11:58
    Hi Does the Enterasys Wireless controller (V2110) support the Radius disconnect attributes? Disconnect-Request (40) Disconnect-ACK (41) Disconnect-NAK (42) I have a scenario where clients connect and authenticate via a Radius server. The radius accounting monitors the amount of data used, once the user have reach a specific limit I would like to disconnect the user using radius disconnect messages. Thx


  • 2.  RE: Wireless Radius disconnect

    Posted 11-12-2013 13:27
    It does support being a RFC 3576 Dynamic Authorization Server - see VNS Configuration/Global/DAS. NAC sends disconnect messages via this method. From 8.31 the wireless controller also supports CoA which NAC can use as well, and you could perhaps use to put the clients in a captive portal.


  • 3.  RE: Wireless Radius disconnect

    Posted 11-13-2013 12:22
    Andre, did you need additional information regarding configuring this? If so, let me know and I can point you in the right direction. Thanks!


  • 4.  RE: Wireless Radius disconnect

    Posted 11-14-2013 19:44
    I do not see the disconnect attributes on the release notes. The release notes show all the supported RADIUS attributes.


  • 5.  RE: Wireless Radius disconnect

    Posted 05-20-2014 06:43
    Hi all,

    I have approximately the same question as Andre : I would like to disconnect a 802.1X (EAP-PEAP) authenticated wireless user when the corresponding session expires.

    I use FreeRADIUS with the "Expiration" attribute for the user, that properly generates a "Session-Timeout" reply-attribute that is sent back to NAS. However, it doesn't seem to be properly interpreted as the user is not disconnected when the session expires.

    I don't use NAC so EWC directly interacts with FreeRADIUS. Is the "Session-Timeout" interpreted by the EWC (so I am missing something in my config) or is the only solution to rely on RFC3576 (which FreeRADIUS is doing from what I have read, although I never tempered with it myself)?

    Thanks in advance for your reply.

    Regards.



  • 6.  RE: Wireless Radius disconnect

    Posted 05-22-2014 09:58
    Session-Timeout should work. Can you get a trace of the RADIUS accept packet?

    -Doug

    [i]


  • 7.  RE: Wireless Radius disconnect

    Posted 05-23-2014 04:43
    Hello Doug,

    This is the relevant part of users file on my FreeRADIUS setup:
    expuser Cleartext-Password := "exppasswd", Expiration := "23 May 2014 08:30:00" Idle-Timeout = 60, Termination-Action = 1
    [/code]I have expiration module enabled on the authorize section in the sites-enabled/default file.

    This is what I get from FreeRADIUS when I do a radtest:
    # radtest expuser exppasswd 127.0.0.1 1812 testing123[/code]Sending Access-Request of id 23 to 127.0.0.1 port 1812
    User-Name = "expuser"
    User-Password = "exppasswd"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=23, length=38
    Idle-Timeout = 60
    Termination-Action = RADIUS-Request
    Session-Timeout = 512[/code]And the output of freeradius -X:
    ad_recv: Access-Request packet from host 127.0.0.1 port 38807, id=119, length=88 User-Name = "expuser"
    User-Password = "exppasswd"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
    Message-Authenticator = 0x9cefec4ec23437b14f8b94d0a7630ac2
    # Executing section authorize from file /etc/freeradius/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry expuser at line 207
    ++[files] returns ok
    [expiration] Checking Expiration time: '23 May 2014 08:30:00'
    ++[expiration] returns ok
    ++[logintime] returns noop
    ++[pap] returns updated
    Found Auth-Type = PAP
    # Executing group from file /etc/freeradius/sites-enabled/default
    +- entering group PAP {...}
    [pap] login attempt with password "exppasswd"
    [pap] Using clear text password "exppasswd"
    [pap] User authenticated successfully
    ++[pap] returns ok
    # Executing section post-auth from file /etc/freeradius/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    Sending Access-Accept of id 23 to 127.0.0.1 port 38807
    Idle-Timeout = 60
    Termination-Action = RADIUS-Request
    Session-Timeout = 512
    Finished request 46.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 46 ID 119 with timestamp +457
    Ready to process requests. [/code]
    I also tested from my EWC (the FreeRADIUS output is much more verbose so I pasted it there : http://pastebin.com/xFu6AdbL

    I can successfully authenticate before the expiration date and not after (which is great) but the device I connected via the controller is not disconnected when the session expires.

    Does that bring any idea up?


  • 8.  RE: Wireless Radius disconnect

    Posted 05-23-2014 04:43
    Have you been able to make any progress on this? I would try including the session-timeout in the return attributes that get included in the RADIUS accept.

    -Doug


  • 9.  RE: Wireless Radius disconnect

    Posted 05-27-2014 15:00
    Sorry for the late reply, If you view the client report on the controller is the client on longer than the 512 seconds?

    -Doug


  • 10.  RE: Wireless Radius disconnect

    Posted 05-27-2014 15:44
    Also unless I missed it, the verbose trace showed the Access-Challenge is where the session-timeout was. I could not find it in the Access-Accept at all. While that should be valid, I have only seen it work when in the Access-Accept from the RADIUS server. If the session time on the controller shows the client connecting after 8 min we can review the session table on the controller to see if it does have the session-timeout value properly defined but my guess is it's ignoring it in the challenge and needs to see it in the accept packet.



  • 11.  RE: Wireless Radius disconnect

    Posted 05-26-2016 08:43
    Regarding this topic, we are seeing the same behaviour when freeradius sends "Disconnect-Request (40)" the C25 Controller (v9.21.09.0004) receives the request we can see it from the traces but never replies back and the user session is not terminated.