Hard timeout doesn't work

guntery · Mar 20, 2020, 2:14 PM

Hi all,

I'm about to start from scratch as this feature is not working. Idle timeout works fine.

I gather there is a cron every minute which checks each client. I have made the Hard timeout 5mins.

When I hover over the client in CP status it shows the idle timeout and session but nothing about hard timeout.
Nothing is showing in the logs - I expected a DISCONNECT log

I am using external radius auth. Any ideas how to debug it?

Gertjan · Mar 20, 2020, 2:14 PM

@guntery said in Hard timeout doesn't work:

I gather there is a cron every minute which checks each client.

Correct.
You can even see it :
Access the console, option 8 and type

ps ax | grep 'prune'

Every 60 seconds it executes, checks all connected users, and do what "needs to be done".

But .... if a (the FreeRadius) package is used for your portal instance, then things like hard time out , soft time out (and more) are controlled by radius - so you have to set things up over there.
That is, I'm pretty sure it would work like that.

edit : I tested :

When I set a time out of 5 minutes :

and this suer logs in (it' me) I see a :

after 5 minutes.
It's a SESSION TIMEOUT. Somewhat the same thing as a "DISCONNECT" I guess.
And of course, the user was disconnected.

So, it works ....

guntery · Mar 22, 2020, 9:26 PM

Thanks,
you are correct the idle timeout and hard timeout are ignored. damn!

Is there a command line method to DISCONNECT a user?

Gertjan · Mar 23, 2020, 6:04 AM

@guntery said in Hard timeout doesn't work:

Is there a command line method to DISCONNECT a user?

No one ready right now.
There is a command line script that disconnect all users from all portal instances, published by myself and others in this forum part.

But first, you have visit this GUI page :

Hover your mouse of the dustbind of the user you want to disconnect.
Now, have a look at the second most information shown on your screen :

and there you see how to select the to be disconnected using its "connection ID", the "f273c20eb7b0174c" string in my example.

Now you have everything to do a "SELECT" upon the connected user database, and have it removed.

You'll be needing probably the "pfSense Ultimate Manual**" , to guide you when modifying the PHP command line script file.

** The source code - you have a copy already

guntery · Mar 24, 2020, 2:07 AM

@Gertjan said in Hard timeout doesn't work:

pfSense Ultimate Manual

thanks for that (https://docs.netgate.com/manuals/pfsense/en/latest/the-pfsense-book.pdf)

it shows a little more detail on the hard timeout. And mentions radius. It looks like it actually should work regardless of authentication method...

I found under the CP authentication section there is a Session timeout check box for "Use RADIUS Session-Timeout attributes"

If I disable this the hard timeout works with freeradius! cheers