Header Only - DO NOT REMOVE - Extreme Networks

Wireless Radius disconnect


Userlevel 5
Hi Does the Enterasys Wireless controller (V2110) support the Radius disconnect attributes? Disconnect-Request (40) Disconnect-ACK (41) Disconnect-NAK (42) I have a scenario where clients connect and authenticate via a Radius server. The radius accounting monitors the amount of data used, once the user have reach a specific limit I would like to disconnect the user using radius disconnect messages. Thx

10 replies

It does support being a RFC 3576 Dynamic Authorization Server - see VNS Configuration/Global/DAS. NAC sends disconnect messages via this method. From 8.31 the wireless controller also supports CoA which NAC can use as well, and you could perhaps use to put the clients in a captive portal.
Userlevel 2
Andre, did you need additional information regarding configuring this? If so, let me know and I can point you in the right direction. Thanks!
Userlevel 1
I do not see the disconnect attributes on the release notes. The release notes show all the supported RADIUS attributes.
Hi all,

I have approximately the same question as Andre : I would like to disconnect a 802.1X (EAP-PEAP) authenticated wireless user when the corresponding session expires.

I use FreeRADIUS with the "Expiration" attribute for the user, that properly generates a "Session-Timeout" reply-attribute that is sent back to NAS. However, it doesn't seem to be properly interpreted as the user is not disconnected when the session expires.

I don't use NAC so EWC directly interacts with FreeRADIUS. Is the "Session-Timeout" interpreted by the EWC (so I am missing something in my config) or is the only solution to rely on RFC3576 (which FreeRADIUS is doing from what I have read, although I never tempered with it myself)?

Thanks in advance for your reply.

Regards.
Userlevel 7
Session-Timeout should work. Can you get a trace of the RADIUS accept packet?

-Doug

[i]
Hello Doug,

This is the relevant part of users file on my FreeRADIUS setup:
expuser Cleartext-Password := "exppasswd", Expiration := "23 May 2014 08:30:00" Idle-Timeout = 60, Termination-Action = 1
[/code]I have expiration module enabled on the authorize section in the sites-enabled/default file.

This is what I get from FreeRADIUS when I do a radtest:
# radtest expuser exppasswd 127.0.0.1 1812 testing123[/code]Sending Access-Request of id 23 to 127.0.0.1 port 1812
User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=23, length=38
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512[/code]And the output of freeradius -X:
ad_recv: Access-Request packet from host 127.0.0.1 port 38807, id=119, length=88 User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x9cefec4ec23437b14f8b94d0a7630ac2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry expuser at line 207
++[files] returns ok
[expiration] Checking Expiration time: '23 May 2014 08:30:00'
++[expiration] returns ok
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "exppasswd"
[pap] Using clear text password "exppasswd"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 23 to 127.0.0.1 port 38807
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512
Finished request 46.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 46 ID 119 with timestamp +457
Ready to process requests. [/code]
I also tested from my EWC (the FreeRADIUS output is much more verbose so I pasted it there : http://pastebin.com/xFu6AdbL

I can successfully authenticate before the expiration date and not after (which is great) but the device I connected via the controller is not disconnected when the session expires.

Does that bring any idea up?
Userlevel 7
gherbiet wrote:

Hello Doug,

This is the relevant part of users file on my FreeRADIUS setup:
expuser Cleartext-Password := "exppasswd", Expiration := "23 May 2014 08:30:00" Idle-Timeout = 60, Termination-Action = 1
[/code]I have expiration module enabled on the authorize section in the sites-enabled/default file.

This is what I get from FreeRADIUS when I do a radtest:
# radtest expuser exppasswd 127.0.0.1 1812 testing123[/code]Sending Access-Request of id 23 to 127.0.0.1 port 1812
User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=23, length=38
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512[/code]And the output of freeradius -X:
ad_recv: Access-Request packet from host 127.0.0.1 port 38807, id=119, length=88 User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x9cefec4ec23437b14f8b94d0a7630ac2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry expuser at line 207
++[files] returns ok
[expiration] Checking Expiration time: '23 May 2014 08:30:00'
++[expiration] returns ok
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "exppasswd"
[pap] Using clear text password "exppasswd"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 23 to 127.0.0.1 port 38807
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512
Finished request 46.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 46 ID 119 with timestamp +457
Ready to process requests. [/code]
I also tested from my EWC (the FreeRADIUS output is much more verbose so I pasted it there : http://pastebin.com/xFu6AdbL

I can successfully authenticate before the expiration date and not after (which is great) but the device I connected via the controller is not disconnected when the session expires.

Does that bring any idea up?

Have you been able to make any progress on this? I would try including the session-timeout in the return attributes that get included in the RADIUS accept.

-Doug
Userlevel 7
Sorry for the late reply, If you view the client report on the controller is the client on longer than the 512 seconds?

-Doug
Userlevel 7
Also unless I missed it, the verbose trace showed the Access-Challenge is where the session-timeout was. I could not find it in the Access-Accept at all. While that should be valid, I have only seen it work when in the Access-Accept from the RADIUS server. If the session time on the controller shows the client connecting after 8 min we can review the session table on the controller to see if it does have the session-timeout value properly defined but my guess is it's ignoring it in the challenge and needs to see it in the accept packet.
Regarding this topic, we are seeing the same behaviour when freeradius sends "Disconnect-Request (40)" the C25 Controller (v9.21.09.0004) receives the request we can see it from the traces but never replies back and the user session is not terminated.

Reply