Freeradius Session-Timeout

zhex900 · May 14, 2014, 2:12am

Hi,

I have trying to setup Freeradius to work with my MikroTik as a NAS. My aim is to have session time limit per user. Now user can log in. Session time limiting is working on the radius server. The radius rejects the user when the time limit is reached. However my problem is the NAS does not receive Session-Timeout from the radius server. Therefore it does not terminate the active session when the time limit is reached.

It seems like MikroTik dropped the Session-Timeout. eap_peap : Got tunneled reply code 11

What should I do?

Does it have to do with enabling connection termination on my NAS?http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Connection_Terminating_from_RADIUS

This is my radiusd -X

Sending Access-Challenge of id 155 from 10.1.1.2 port 135 to 27.33.228.125 port 45095
	Session-Timeout := 600
	Idle-Timeout := 30
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xb77514c3b6770d58e310744eea16afdc
(1) Finished request 1.

(8)   [pap] = noop
(8)  } #  authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap : Expiring EAP session with state 0x7b061f337b0e0549
(8) eap : Finished EAP session with state 0x7b061f337b0e0549
(8) eap : Previous EAP request found for state 0x7b061f337b0e0549, released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 :  Auth-Type MS-CHAP {
(8) mschap : Found Cleartext-Password, hashing to create LM-Password
(8) mschap : Found Cleartext-Password, hashing to create NT-Password
(8) mschap : Creating challenge hash with username: bob
(8) mschap : Client is using MS-CHAPv2 for bob, we need NT-Password
(8) mschap : adding MS-CHAPv2 MPPE keys
(8)   [mschap] = ok
(8)  } # Auth-Type MS-CHAP = ok
MSCHAP Success 
(8) eap : New EAP session, adding 'State' attribute to reply 0x7b061f337a0f0549
(8)   [eap] = handled
(8)  } #  authenticate = handled
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
	Session-Timeout := 600
	Idle-Timeout := 30
	EAP-Message = 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7b061f337a0f0549d125cd93a8b94882
(8) eap_peap : Got tunneled reply RADIUS code 11
	Session-Timeout := 600
	Idle-Timeout := 30
	EAP-Message = 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7b061f337a0f0549d125cd93a8b94882
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply 0xb77514c3bf7c0d58
(8)   [eap] = handled
(8)  } #  authenticate = handled

rextended · May 15, 2014, 1:02am

Use RouterOS 6.7+ and enable incoming radius request processing on mikrotik RB, and enable on freeradius (if exist) “CoA” support.

zhex900 · May 15, 2014, 4:25am

Thank you for your help.

I don’t know much about CoA. FreeRADIUS support it. Is it ok if I don’t use it?

zhex900 · May 15, 2014, 7:29am

I turned on CoA on FreeRadius and enable incoming radius in NAS. But it is still the same.

awacenter · May 15, 2014, 12:15pm

Be aware with radius attributes!
Not all radius attributes are supported by MikroçTik. Check the attributes in the wiki in Radius client.

Verify in PPP connections the ‘Idle-Timeout’ is supported. I think that it is not supported.
I am sure that ‘Session-Timeout’ attribute works. You can use check attribute called ‘Expiration’ which its value is a date (1 jul 2014 13:45:33).

zhex900 · May 15, 2014, 12:52pm

A little progress. But NAS does not terminate the session when the time limit is reached.

I change my device authorisation method to EAP-TTLS, Session-Timeout is received on NAS (MikroTik). I set Session-Timeout = 300 (5 mins). But my device can still be connected after 5 mins.

What do I do now?

zhex900 · May 15, 2014, 1:00pm

I am using RouterOS v5.24. Is it ok?

zhex900 · May 15, 2014, 1:30pm

I upgraded to v6.12. It still does not work. Do I need to install some packages or enable some service? I have taken a screenshot of my current packages.
Screen Shot 2014-05-15 at 9.29.16 pm.png

zhex900 · May 16, 2014, 12:52am

I think, I know what the problem is now.

I have not setup PPP on my NAS. http://wiki.mikrotik.com/wiki/Manual:PPP_AAA
Is this correct? If it is, can someone point me a good tutorial concerning it?

zhex900 · May 16, 2014, 2:32pm

Hi,

It finally worked. I had configure my freeRadius. This is work I did.

Only for EAP-TTLS works. EAP-PEAP still does not send Session-Timeout in Access-Accept.

vi eap in /etc/freeradius/mods-enabled

use_tunneled_reply = yes for everything.

Thank you for helping me.

Jake He

joserf · May 21, 2014, 1:52am

manthang · May 10, 2018, 4:54am

Hi,
I'm facing the same problem here. Could you share the content of configuration files to resolve this case?

I've tried a few changes but just work with Local file-based Users Authen. I'd like to work with MySQL-based User Authen.

Thank you so much.

The following is some information of my environment:
0. FreeRADIUS version: 2.2.8

Backend for user credentials: MySQL.
/etc/freeradius/eap.conf
https://paste.ubuntu.com/p/2QTZXxSJJx/
/etc/freeradius/site-enabled/default
https://paste.ubuntu.com/p/MZvW8Yk7c2/
/etc/freeradius/site-enabled/inner-tunnel
https://paste.ubuntu.com/p/QqWWv3875q/