FreeRadius Disconnect User

Question

I have been successful in sending Packet of Disconnect to NAS using CoA port 3799 (from the terminal using radclient), but this only works if I can reach the port from the outside network (i.e if I setup port forwarding from the Internet router to the NAS or put it in DMZ).

I want to find out if it is possible to disconnect a user session without needing to reach the CoA port. Maybe if there is a way to send reject to the NAS on the interim account updates.

My setup is as follows:

Server Side

FreeRadius (with dynamic-clients enabled) 2.1.12-4 MySQL 5.1.69-1 (Used for RadCheck, RadReply, RadAcct and NAS list) CentOS 6.4

Client Side

Mikrotik NAS (RB750u)

I would highly appreciate any pointers and advice.

Regards.

Answer 1

Your NAS may support the Session-Timeout/Idle-Timeout attributes which you can include in the Access-Accept.

• http://freeradius.org/rfc/rfc2865.html#Session-Timeout
• http://freeradius.org/rfc/rfc2865.html#Idle-Timeout

These will trigger periodic re-authentication, Session-Timeout after a fixed period, Idle-Timeout after a period of inactivity. Out of the two Session-Timeout is more widely supported.

You may also need to include Terminate-Action for the timeout values to be honoured.

• http://freeradius.org/rfc/rfc2865.html#Termination-Action

Destroying and recreating sessions may cause disruption for your users so you should check how your NAS and client devices behave in a development environment first.

Other than the aforementioned timeout attributes and a PoD/DM (Packet of Disconnect/Disconnect Message) there is no standards based method of terminating a user's session.