Hard timeout doesn't work

  • Hi all,

    I'm about to start from scratch as this feature is not working. Idle timeout works fine.

    I gather there is a cron every minute which checks each client. I have made the Hard timeout 5mins.

    When I hover over the client in CP status it shows the idle timeout and session but nothing about hard timeout.
    Nothing is showing in the logs - I expected a DISCONNECT log

    I am using external radius auth. Any ideas how to debug it?

  • @guntery said in Hard timeout doesn't work:

    I gather there is a cron every minute which checks each client.

    You can even see it :
    Access the console, option 8 and type

    ps ax | grep 'prune'

    Every 60 seconds it executes, checks all connected users, and do what "needs to be done".

    But .... if a (the FreeRadius) package is used for your portal instance, then things like hard time out , soft time out (and more) are controlled by radius - so you have to set things up over there.
    That is, I'm pretty sure it would work like that.

    edit : I tested :

    When I set a time out of 5 minutes :


    and this suer logs in (it' me) I see a :


    after 5 minutes.
    It's a SESSION TIMEOUT. Somewhat the same thing as a "DISCONNECT" I guess.
    And of course, the user was disconnected.

    So, it works ....

  • Thanks,
    you are correct the idle timeout and hard timeout are ignored. damn!

    Is there a command line method to DISCONNECT a user?

  • @guntery said in Hard timeout doesn't work:

    Is there a command line method to DISCONNECT a user?

    No one ready right now.
    There is a command line script that disconnect all users from all portal instances, published by myself and others in this forum part.

    But first, you have visit this GUI page :


    Hover your mouse of the dustbind of the user you want to disconnect.
    Now, have a look at the second most information shown on your screen :


    and there you see how to select the to be disconnected using its "connection ID", the "f273c20eb7b0174c" string in my example.

    Now you have everything to do a "SELECT" upon the connected user database, and have it removed.

    You'll be needing probably the "pfSense Ultimate Manual**" , to guide you when modifying the PHP command line script file.

    ** The source code - you have a copy already

  • @Gertjan said in Hard timeout doesn't work:

    pfSense Ultimate Manual

    thanks for that (https://docs.netgate.com/manuals/pfsense/en/latest/the-pfsense-book.pdf)

    it shows a little more detail on the hard timeout. And mentions radius. It looks like it actually should work regardless of authentication method...

    I found under the CP authentication section there is a Session timeout check box for "Use RADIUS Session-Timeout attributes"

    If I disable this the hard timeout works with freeradius! cheers

Log in to reply