Community discussions

MikroTik App
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Freeradius Session-Timeout

Wed May 14, 2014 5:12 am

Hi,

I have trying to setup Freeradius to work with my MikroTik as a NAS. My aim is to have session time limit per user. Now user can log in. Session time limiting is working on the radius server. The radius rejects the user when the time limit is reached. However my problem is the NAS does not receive Session-Timeout from the radius server. Therefore it does not terminate the active session when the time limit is reached.

It seems like MikroTik dropped the Session-Timeout. eap_peap : Got tunneled reply code 11

What should I do?

Does it have to do with enabling connection termination on my NAS?http://wiki.mikrotik.com/wiki/Manual:RA ... rom_RADIUS

This is my radiusd -X
Sending Access-Challenge of id 155 from 10.1.1.2 port 135 to 27.33.228.125 port 45095
	Session-Timeout := 600
	Idle-Timeout := 30
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xb77514c3b6770d58e310744eea16afdc
(1) Finished request 1.

(8)   [pap] = noop
(8)  } #  authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap : Expiring EAP session with state 0x7b061f337b0e0549
(8) eap : Finished EAP session with state 0x7b061f337b0e0549
(8) eap : Previous EAP request found for state 0x7b061f337b0e0549, released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 :  Auth-Type MS-CHAP {
(8) mschap : Found Cleartext-Password, hashing to create LM-Password
(8) mschap : Found Cleartext-Password, hashing to create NT-Password
(8) mschap : Creating challenge hash with username: bob
(8) mschap : Client is using MS-CHAPv2 for bob, we need NT-Password
(8) mschap : adding MS-CHAPv2 MPPE keys
(8)   [mschap] = ok
(8)  } # Auth-Type MS-CHAP = ok
MSCHAP Success 
(8) eap : New EAP session, adding 'State' attribute to reply 0x7b061f337a0f0549
(8)   [eap] = handled
(8)  } #  authenticate = handled
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
	Session-Timeout := 600
	Idle-Timeout := 30
	EAP-Message = 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7b061f337a0f0549d125cd93a8b94882
(8) eap_peap : Got tunneled reply RADIUS code 11
	Session-Timeout := 600
	Idle-Timeout := 30
	EAP-Message = 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7b061f337a0f0549d125cd93a8b94882
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply 0xb77514c3bf7c0d58
(8)   [eap] = handled
(8)  } #  authenticate = handled
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 7004
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy, but my Heart is in Україна

Re: Freeradius Session-Timeout

Thu May 15, 2014 4:02 am

Use RouterOS 6.7+ and enable incoming radius request processing on mikrotik RB, and enable on freeradius (if exist) "CoA" support.
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Re: Freeradius Session-Timeout

Thu May 15, 2014 7:25 am

Thank you for your help.

I don't know much about CoA. FreeRADIUS support it. Is it ok if I don't use it?
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Re: Freeradius Session-Timeout

Thu May 15, 2014 10:29 am

I turned on CoA on FreeRadius and enable incoming radius in NAS. But it is still the same.
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 200
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: Freeradius Session-Timeout

Thu May 15, 2014 3:15 pm

Be aware with radius attributes!
Not all radius attributes are supported by MikroçTik. Check the attributes in the wiki in Radius client.

Verify in PPP connections the 'Idle-Timeout' is supported. I think that it is not supported.
I am sure that 'Session-Timeout' attribute works. You can use check attribute called 'Expiration' which its value is a date (1 jul 2014 13:45:33).
ImageImage
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Re: Freeradius Session-Timeout

Thu May 15, 2014 3:52 pm

A little progress. But NAS does not terminate the session when the time limit is reached.

I change my device authorisation method to EAP-TTLS, Session-Timeout is received on NAS (MikroTik). I set Session-Timeout = 300 (5 mins). But my device can still be connected after 5 mins.

What do I do now?
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Re: Freeradius Session-Timeout

Thu May 15, 2014 4:00 pm

I am using RouterOS v5.24. Is it ok?
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Re: Freeradius Session-Timeout

Thu May 15, 2014 4:30 pm

I upgraded to v6.12. It still does not work. Do I need to install some packages or enable some service? I have taken a screenshot of my current packages.
You do not have the required permissions to view the files attached to this post.
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Re: Freeradius Session-Timeout

Fri May 16, 2014 3:52 am

I think, I know what the problem is now.

I have not setup PPP on my NAS. http://wiki.mikrotik.com/wiki/Manual:PPP_AAA
Is this correct? If it is, can someone point me a good tutorial concerning it?
 
zhex900
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Apr 15, 2013 5:34 pm

Re: Freeradius Session-Timeout

Fri May 16, 2014 5:32 pm

Hi,

It finally worked. I had configure my freeRadius. This is work I did.

Only for EAP-TTLS works. EAP-PEAP still does not send Session-Timeout in Access-Accept.

vi eap in /etc/freeradius/mods-enabled

use_tunneled_reply = yes for everything.

Thank you for helping me.

Jake He
 
joserf
just joined
Posts: 4
Joined: Mon Apr 28, 2014 5:51 pm

Re: Freeradius Session-Timeout

Wed May 21, 2014 4:52 am

Hi,

It finally worked. I had configure my freeRadius. This is work I did.

Only for EAP-TTLS works. EAP-PEAP still does not send Session-Timeout in Access-Accept.

vi eap in /etc/freeradius/mods-enabled

use_tunneled_reply = yes for everything.

Thank you for helping me.

Jake He
 
manthang
just joined
Posts: 1
Joined: Thu May 10, 2018 7:42 am

Re: Freeradius Session-Timeout

Thu May 10, 2018 7:54 am

Hi,

It finally worked. I had configure my freeRadius. This is work I did.

Only for EAP-TTLS works. EAP-PEAP still does not send Session-Timeout in Access-Accept.

vi eap in /etc/freeradius/mods-enabled

use_tunneled_reply = yes for everything.

Thank you for helping me.

Jake He
Hi,
I'm facing the same problem here. Could you share the content of configuration files to resolve this case?

I've tried a few changes but just work with Local file-based Users Authen. I'd like to work with MySQL-based User Authen.

Thank you so much.
---
The following is some information of my environment:
0. FreeRADIUS version: 2.2.8
1. Backend for user credentials: MySQL.

2. /etc/freeradius/eap.conf
https://paste.ubuntu.com/p/2QTZXxSJJx/

3. /etc/freeradius/site-enabled/default
https://paste.ubuntu.com/p/MZvW8Yk7c2/

4. /etc/freeradius/site-enabled/inner-tunnel
https://paste.ubuntu.com/p/QqWWv3875q/

Who is online

Users browsing this forum: Google [Bot], Knapek, Semrush [Bot] and 29 guests