Hard timeout doesn't work



  • Hi all,

    I'm about to start from scratch as this feature is not working. Idle timeout works fine.

    I gather there is a cron every minute which checks each client. I have made the Hard timeout 5mins.

    When I hover over the client in CP status it shows the idle timeout and session but nothing about hard timeout.
    Nothing is showing in the logs - I expected a DISCONNECT log

    I am using external radius auth. Any ideas how to debug it?



  • @guntery said in Hard timeout doesn't work:

    I gather there is a cron every minute which checks each client.

    Correct.
    You can even see it :
    Access the console, option 8 and type

    ps ax | grep 'prune'
    

    Every 60 seconds it executes, checks all connected users, and do what "needs to be done".

    But .... if a (the FreeRadius) package is used for your portal instance, then things like hard time out , soft time out (and more) are controlled by radius - so you have to set things up over there.
    That is, I'm pretty sure it would work like that.

    edit : I tested :

    When I set a time out of 5 minutes :

    fe2409e8-89b2-4f33-854f-62c9bbb79582-image.png

    and this suer logs in (it' me) I see a :

    bf45b855-43f2-42ce-a959-1cc52d724dee-image.png

    after 5 minutes.
    It's a SESSION TIMEOUT. Somewhat the same thing as a "DISCONNECT" I guess.
    And of course, the user was disconnected.

    So, it works ....



  • Thanks,
    you are correct the idle timeout and hard timeout are ignored. damn!

    Is there a command line method to DISCONNECT a user?



  • @guntery said in Hard timeout doesn't work:

    Is there a command line method to DISCONNECT a user?

    No one ready right now.
    There is a command line script that disconnect all users from all portal instances, published by myself and others in this forum part.

    But first, you have visit this GUI page :

    5d3b5177-2d78-4e9c-92e1-72860d4b9bd8-image.png

    Hover your mouse of the dustbind of the user you want to disconnect.
    Now, have a look at the second most information shown on your screen :

    8450a23e-4d09-490e-ad63-2042f0cabdc6-image.png

    and there you see how to select the to be disconnected using its "connection ID", the "f273c20eb7b0174c" string in my example.

    Now you have everything to do a "SELECT" upon the connected user database, and have it removed.

    You'll be needing probably the "pfSense Ultimate Manual**" , to guide you when modifying the PHP command line script file.

    ** The source code - you have a copy already



  • @Gertjan said in Hard timeout doesn't work:

    pfSense Ultimate Manual

    thanks for that (https://docs.netgate.com/manuals/pfsense/en/latest/the-pfsense-book.pdf)

    it shows a little more detail on the hard timeout. And mentions radius. It looks like it actually should work regardless of authentication method...

    I found under the CP authentication section there is a Session timeout check box for "Use RADIUS Session-Timeout attributes"

    If I disable this the hard timeout works with freeradius! cheers


Log in to reply