Wed Feb 20, 2013 12:22 am
I am working on a similar configuration for a customer.
My idea is to have cookies for 12h and sessions for the same time, without idle or keepalive timeouts.
This means that normally an user doesn't need to autetichate for the whole day (it's for an office, so 8 am to 8 pm is enough), but in case something changes the use has just to open browser to any site, it is automatically redirected to login, the cookies makes the magic and he logs in without need to reauthenticate.
I'll use two profiles: 12h (that I name "one day") and 1w1d (that I name "one week"). Who has the "one week" profile needs to authenticate every morning, but not during the day: this is the design. Using longer values for sessions and cookies can cover longer periods, but for the "one day user" this will mean he ca connect the second day, the third and so on until cookie expires, so i set them to the same value as the smaller amount of time i'll give to a user. The 12h trick can be sufficient for me, but I could even set values to 24 hours and delete cookies and active users by script during the night.
What can break this plan is if the ip address of the user changes, for example if dhcp lease is too short. I'll set it at 12h.
I have some more test to do, but as for now it seems ok.
I don't use openradius, so I don't know if there are any specific attribute tu set.