Security

Hi all, I'd need to know if is possible to set an expiration time (relative as hours/minutes or absolute as a datetime) for a guest user authenticated by RADIUS. I've checked and found an "Expiration" attribute among radius-attributes supported (#show aaa radius-attributes): this attribute is defined with a type "Date" and is 21-bytes long.

Can I define it on my RADIUS server and pass it back to the controller in order to set an expiration datetime on a guest-user basis?

How this field must be formatted/structured?

Thanks in advance for your help.

 

 

 

What RADIUS server are you using? You'd need some type of guest functionality on that server to enforce the guest expiration. Session-timeout will only stop the active session.


Thanks,
Tim

Hi Tim, I'm in a project phase and I haven't decided the Radius yet, I'm free to choose what I want. If you can suggest a server with guest functionality it would be good.

Actually I can't figure how session timeout and guest expiration can work togheter... What I need is to create a guest in the radius DB specyfing an expiration date (for example 2015-01-01 07:00pm) and be sure that the user will not be able to login after that time... mmmm thinking at it I'm realizing that the problem can be completely managed internally at the Radius. After 7:00pm the request access is simply rejected! The only thingh left open is how to force the controller to disconnect the user at 7:00pm... maybe by session-timeout?

 

 

ClearPass would be the recommended solution.



Your RADIUS server needs a guest database to track expiration time. You can
send back a session timeout that calculates expiration minus now, but that
wouldn't prevent the user from reauthenticating. You need a solution that
can expire accounts.

Thank you Tim for your really precious advices...

ClearPass was my first thought but we don't have the budget for it:-(

A possible solution could rely on Session Timeout (calclulated as expiration-datetime minus now-datetime as you suggested) passed back with a VSA from RADIUS to Controller AND a local check on the RADIUS that rejects access-requests sent after expiration-time. In other words the RADIUS should be configured to:

a) reject access-requests "outside" the guest account validity interval (before the beginning and after the end)

b) accept access-requests "inside" the guest account validity interval (after the beginning and before the end). In this case the RADIUS calculates the Sessioni-Timeout and instructs the controller to "clear" the sessione accordingly (exaclty at expiration time).

Once the guest user tries to connect againg it's rejected because of a).

Does it make sense to you?

   

Yes, although the easier method would be to just set the accounts to disable
after they expire thus causing a reject.

Good, we can disable or remove from database.

Are you sure that Session-Timeout will force the controller to unconditionally stop the session, regardless its activity state?

A last question: can you confrim me that I can pass back from RADIUS to Controller (via a specific VSA) the Role a guest-user must be assigned to?

Thanks in advance.

 

Yes and yes.

Thank you Tim!

I gave you Kudo.

Regards.