cancel
Showing results for 
Search instead for 
Did you mean: 

Wireless Radius disconnect

Wireless Radius disconnect

Andre_Brits_Kan
Contributor II
Hi Does the Enterasys Wireless controller (V2110) support the Radius disconnect attributes? Disconnect-Request (40) Disconnect-ACK (41) Disconnect-NAK (42) I have a scenario where clients connect and authenticate via a Radius server. The radius accounting monitors the amount of data used, once the user have reach a specific limit I would like to disconnect the user using radius disconnect messages. Thx
10 REPLIES 10

Emre_Kurtman
Extreme Employee
Regarding this topic, we are seeing the same behaviour when freeradius sends "Disconnect-Request (40)" the C25 Controller (v9.21.09.0004) receives the request we can see it from the traces but never replies back and the user session is not terminated.
Emre Kurtman Technical Marketing Engineer / Extreme Networks

Doug
Extreme Employee
Also unless I missed it, the verbose trace showed the Access-Challenge is where the session-timeout was. I could not find it in the Access-Accept at all. While that should be valid, I have only seen it work when in the Access-Accept from the RADIUS server. If the session time on the controller shows the client connecting after 8 min we can review the session table on the controller to see if it does have the session-timeout value properly defined but my guess is it's ignoring it in the challenge and needs to see it in the accept packet.

Doug Hyde
Director, Technical Support / Extreme Networks

Doug
Extreme Employee
Sorry for the late reply, If you view the client report on the controller is the client on longer than the 512 seconds?

-Doug
Doug Hyde
Director, Technical Support / Extreme Networks

gherbiet
New Contributor II
Hello Doug,

This is the relevant part of users file on my FreeRADIUS setup:
expuser Cleartext-Password := "exppasswd", Expiration := "23 May 2014 08:30:00" Idle-Timeout = 60, Termination-Action = 1
I have expiration module enabled on the authorize section in the sites-enabled/default file.

This is what I get from FreeRADIUS when I do a radtest:
# radtest expuser exppasswd 127.0.0.1 1812 testing123Sending Access-Request of id 23 to 127.0.0.1 port 1812
User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=23, length=38
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512And the output of freeradius -X:
ad_recv: Access-Request packet from host 127.0.0.1 port 38807, id=119, length=88 User-Name = "expuser"
User-Password = "exppasswd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x9cefec4ec23437b14f8b94d0a7630ac2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry expuser at line 207
++[files] returns ok
[expiration] Checking Expiration time: '23 May 2014 08:30:00'
++[expiration] returns ok
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "exppasswd"
[pap] Using clear text password "exppasswd"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 23 to 127.0.0.1 port 38807
Idle-Timeout = 60
Termination-Action = RADIUS-Request
Session-Timeout = 512
Finished request 46.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 46 ID 119 with timestamp +457
Ready to process requests.
I also tested from my EWC (the FreeRADIUS output is much more verbose so I pasted it there : http://pastebin.com/xFu6AdbL

I can successfully authenticate before the expiration date and not after (which is great) but the device I connected via the controller is not disconnected when the session expires.

Does that bring any idea up?
GTM-P2G8KFN