topic RE: Wireless Radius disconnect in ExtremeWireless (General)

Wireless Radius disconnect

Andre_Brits_Kan — Tue, 12 Nov 2013 19:58:00 GMT

Hi Does the Enterasys Wireless controller (V2110) support the Radius disconnect attributes? Disconnect-Request (40) Disconnect-ACK (41) Disconnect-NAK (42) I have a scenario where clients connect and authenticate via a Radius server. The radius accounting monitors the amount of data used, once the user have reach a specific limit I would like to disconnect the user using radius disconnect messages. Thx

RE: Wireless Radius disconnect

Tamera_Rousseau — Wed, 13 Nov 2013 20:22:00 GMT

Andre, did you need additional information regarding configuring this? If so, let me know and I can point you in the right direction. Thanks!

RE: Wireless Radius disconnect

Jon_Linton — Fri, 15 Nov 2013 03:44:00 GMT

I do not see the disconnect attributes on the release notes. The release notes show all the supported RADIUS attributes.

RE: Wireless Radius disconnect

gherbiet — Tue, 20 May 2014 13:43:00 GMT

Hi all,

I have approximately the same question as Andre : I would like to disconnect a 802.1X (EAP-PEAP) authenticated wireless user when the corresponding session expires.

I use FreeRADIUS with the "Expiration" attribute for the user, that properly generates a "Session-Timeout" reply-attribute that is sent back to NAS. However, it doesn't seem to be properly interpreted as the user is not disconnected when the session expires.

I don't use NAC so EWC directly interacts with FreeRADIUS. Is the "Session-Timeout" interpreted by the EWC (so I am missing something in my config) or is the only solution to rely on RFC3576 (which FreeRADIUS is doing from what I have read, although I never tempered with it myself)?

Thanks in advance for your reply.

Regards.

RE: Wireless Radius disconnect

Doug — Thu, 22 May 2014 16:58:00 GMT

Session-Timeout should work. Can you get a trace of the RADIUS accept packet?

-Doug

RE: Wireless Radius disconnect

gherbiet — Fri, 23 May 2014 11:43:00 GMT

Hello Doug,

This is the relevant part of users file on my FreeRADIUS setup:
expuser Cleartext-Password := "exppasswd", Expiration := "23 May 2014 08:30:00" Idle-Timeout = 60, Termination-Action = 1
I have expiration module enabled on the authorize section in the sites-enabled/default file.

This is what I get from FreeRADIUS when I do a radtest:
# radtest expuser exppasswd 127.0.0.1 1812 testing123Sending Access-Request of id 23 to 127.0.0.1 port 1812
User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=23, length=38
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512And the output of freeradius -X:
ad_recv: Access-Request packet from host 127.0.0.1 port 38807, id=119, length=88 User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x9cefec4ec23437b14f8b94d0a7630ac2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry expuser at line 207
++[files] returns ok
[expiration] Checking Expiration time: '23 May 2014 08:30:00'
++[expiration] returns ok
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "exppasswd"
[pap] Using clear text password "exppasswd"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 23 to 127.0.0.1 port 38807
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512
Finished request 46.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 46 ID 119 with timestamp +457
Ready to process requests.
I also tested from my EWC (the FreeRADIUS output is much more verbose so I pasted it there : http://pastebin.com/xFu6AdbL

I can successfully authenticate before the expiration date and not after (which is great) but the device I connected via the controller is not disconnected when the session expires.

Does that bring any idea up?

RE: Wireless Radius disconnect

Doug — Fri, 23 May 2014 11:43:00 GMT

Have you been able to make any progress on this? I would try including the session-timeout in the return attributes that get included in the RADIUS accept.

-Doug

RE: Wireless Radius disconnect

Doug — Tue, 27 May 2014 22:00:00 GMT

Sorry for the late reply, If you view the client report on the controller is the client on longer than the 512 seconds?

-Doug

RE: Wireless Radius disconnect

Doug — Tue, 27 May 2014 22:44:00 GMT

Also unless I missed it, the verbose trace showed the Access-Challenge is where the session-timeout was. I could not find it in the Access-Accept at all. While that should be valid, I have only seen it work when in the Access-Accept from the RADIUS server. If the session time on the controller shows the client connecting after 8 min we can review the session table on the controller to see if it does have the session-timeout value properly defined but my guess is it's ignoring it in the challenge and needs to see it in the accept packet.

RE: Wireless Radius disconnect

Emre_Kurtman — Thu, 26 May 2016 15:43:00 GMT

Regarding this topic, we are seeing the same behaviour when freeradius sends "Disconnect-Request (40)" the C25 Controller (v9.21.09.0004) receives the request we can see it from the traces but never replies back and the user session is not terminated.