How to disconnect users from the network with FreeRadius
-
Hello, I currently manage a server with vlans and radius for authentication, but I want specific computers to lose access to the network from a certain time-frame, The problem is that with the "Possible login time" the user does manage to authenticate in the time window I specified, but if the user is already authenticated and the "possible login time" is exceeded the users stays authenticated for as long as the cable is connected.
I want to somehow "kick" a user from the network when he is outside the time window. I thought the session timeout would work, but doesn't seem to effect it.
Would really appreciate any directions on what to do. -
How exactly do you have this setup with pfSense?
Steve
-
@stephenw10 Well, I didn't make the setup (I may need some clarifying about "have this setup with pfsense" question) , but I continue maintaining it.
basically, I have a computer working as a router running pfSense, there I have freeRadius service as the authenticator and 3 cisco managed switches.
When a device is authenticated (Based on its MAC), I can see through the system logs "LOGIN OK" the user instantly gets assigned IP based on its vlan. What I want is to limit the time say between 06am to 6pm the user will have access, I thought this could be done through Radius, but it appears to me the "possible login time" will only allow login (connecting) devices in this time window, but wont bother disconnecting them. Unless, there is a way to force-fully disconnect a user based on radius authentication or be it re-authentication. The network holds around 20 computers, but I need this time limit only to 3 specific computers. -
Ah OK, so 802.1x auth at the switches. In that case I would look at the switch config since that's where the 'session' is opened. That's not something I've tried before, I'm sure someone else here has though.
Steve
-
Login-Time := "Any1630-1700" as a check item would allow them to log in between 4:30 PM & 5 PM but it wouldn't boot them off.
-
@nogbadthebad To do that the Radius and NAS device (Switch or AP) needs to support and be configured for CoA (Change of Authorization) RFC-5176. I don’t know if Freeradius supports this, but I would imagine it does.
Love the no fuss of using the official appliances :-)
-
Mmm, looks like Freeradius does and the pfSense package can create a CoA interface type. I have never seen it used though!
Steve
-
@keyser I tried it with a local user and tested it by testing the auth on the firewall.
Just the time period, not the COA.
