[RADIATOR] How to increase session time

Qiu, Dennis dennis.qiu at davispolk.com
Tue May 6 20:14:47 CDT 2014 

Hugh,

I only see sessiontime in my HTTP session. That session is not used by network device.

I  do not see such attribute as "Session-Timeout". Do I need to add this attribute into radius.cfg file? If I need to add, where I should add.

Following is my radius.cfg. Can you advise?

Thank you

#######################################################################################
# windows.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# a simple system on Windows. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example is expected to be installed in 
#   c:\Program Files\Radiator\radius.cfg
# It will authenticate from a standard users file in
#   c:\Program Files\Radiator\users
# it will log debug and other messages to
#   c:\Program Files\Radiator\logfile
# and log accounting to a file in
#   c:\Program Files\Radiator\detail
# (of course you can change all these by editing this config file if you wish)
#
# It will accept requests from any client and try to handle requests
# for any realm.
# And it will print out what its doing in great detail to the log file.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $

AcctPort 1646,1813
AuthPort 1645,1812
BindAddress 144.211.2.97
#BindAddress 0.0.0.0
DbDir c:/Program Files/Radiator
DictionaryFile %D/dictionary
Foreground 1
LogDir c:/Program Files/Radiator/Logs
#LogFile logfile
LogStdout 1

MaxChildren 0
PidFile %L/radiusd.pid
PmwhoProg /usr/local/sbin/pmwho
SnmpNASErrorTimeout 60
SnmpgetProg /usr/bin/snmpget
SnmpsetProg /usr/bin/snmpset
SnmpwalkProg /usr/bin/snmpwalk
Trace 4

<Client DEFAULT>
	DupInterval 0
	FramedGroupMaxPortsPerClassC 255
	LivingstonHole 2
	LivingstonOffs 29
	NasType unknown
	SNMPCommunity 450dpw$
	Secret mysecret
</Client>

<Handler NAS-Identifier=TACACS>
	AuthByPolicy ContinueWhileIgnore

	<AuthBy GROUP>
		AuthByPolicy ContinueUntilAccept
		CachePasswordExpiry 86400
		EAPAnonymous anonymous
		EAPContextTimeout 1000
		EAPFAST_PAC_Lifetime 7776000
		EAPFAST_PAC_Reprovision 2592000
		EAPTLS_MaxFragmentSize 2048
		EAPTLS_PEAPVersion 0
		EAPTLS_SessionResumption 1
		EAPTLS_SessionResumptionLimit 43200
		EAPTLS_VerifyDepth 1
		Identifier GetUser
		PasswordPrompt password
		SIPDigestRealm DefaultSipRealm

		<AuthBy LSA>
			AddToReply tacacsgroup = netadmin
			CachePasswordExpiry 86400
			Domain ad.dpw.com
			DomainController server1
			EAPAnonymous anonymous
			EAPContextTimeout 1000
			EAPFAST_PAC_Lifetime 7776000
			EAPFAST_PAC_Reprovision 2592000
			EAPTLS_MaxFragmentSize 2048
			EAPTLS_PEAPVersion 0
			EAPTLS_SessionResumption 1
			EAPTLS_SessionResumptionLimit 43200
			EAPTLS_VerifyDepth 1
			EAPType MSCHAP-V2
			Group networking_staff
			NoDefault 1
			Origin Radiator
			PasswordPrompt password
			ProcessName IAS
			SIPDigestRealm DefaultSipRealm
			Source Radiator
			UsernameMatchesWithoutRealm 1
			Workstation 
		</AuthBy>

		<AuthBy LSA>
			AddToReply tacacsgroup = users
			CachePasswordExpiry 86400
			Domain ad.dpw.com
			DomainController dcny003
			EAPAnonymous anonymous
			EAPContextTimeout 1000
			EAPFAST_PAC_Lifetime 7776000
			EAPFAST_PAC_Reprovision 2592000
			EAPTLS_MaxFragmentSize 2048
			EAPTLS_PEAPVersion 0
			EAPTLS_SessionResumption 1
			EAPTLS_SessionResumptionLimit 43200
			EAPTLS_VerifyDepth 1
			EAPType MSCHAP-V2
			Group networking_guest
			NoDefault 1
			Origin Radiator
			PasswordPrompt password
			ProcessName IAS
			SIPDigestRealm DefaultSipRealm
			Source Radiator
			UsernameMatchesWithoutRealm 1
			Workstation 
		</AuthBy>
	</AuthBy>
</Handler>

<ServerHTTP >
	AuditTrail %D/audit.txt
	AuthByPolicy ContinueWhileIgnore
	BindAddress 144.211.2.97
	DefaultPrivilegeLevel 15
	LogMaxLines 500
	MaxBufferSize 10000000
	Password xxxxxxxxxx
	Port 9048
	Protocol tcp
	SessionTimeout 3600
	TLS_ExpectedPeerName .+
	Trace 3
	Username administrator

	<AuthLog FILE>
		FailureFormat %l:%U:%P:FAIL
		Filename %L/weblog
		LogFailure 1
		LogSuccess 0
		SuccessFormat %l:%U:%P:OK
	</AuthLog>
</ServerHTTP>

<Realm DEFAULT>
	PreProcessingHook file:"c:\program files\radiator\createavpairs.pl"
	#<AuthBy INTERNAL>
	#	DefaultResult REJECT
	#	AcctResult ACCEPT
	#</AuthBy>
	#	AcctLogFileName accounting-log
     		AcctLogFileName %L/%d%m%Ylogfile
		AcctLogFileFormat %l:%{User-Name}:%{cisco-cmd} 

	#AddToRequest Request-Type=Accounting-Request
	#AcctLogFileName %D/acct.log
	AuthByPolicy ContinueWhileIgnore
	AuthBy GetUser

	<AuthBy FILE>
		CachePasswordExpiry 86400
		EAPAnonymous anonymous
		EAPContextTimeout 1000
		EAPFAST_PAC_Lifetime 7776000
		EAPFAST_PAC_Reprovision 2592000
		EAPTLS_MaxFragmentSize 2048
		EAPTLS_PEAPVersion 0
		EAPTLS_SessionResumption 1
		EAPTLS_SessionResumptionLimit 43200
		EAPTLS_VerifyDepth 1
		Filename %D/users
		PasswordPrompt password
		SIPDigestRealm DefaultSipRealm
	</AuthBy>
</Realm>

<ServerTACACSPLUS >
	AddToRequest NAS-Identifier=TACACS
	AuthorizationTimeout 1200
	AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15}
	AuthorizeGroup netadmin permit .*
	AuthorizeGroup users permit service=shell cmd\* {priv-lvl=1}
	AuthorizeGroup users permit .*
	AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=0}
	AuthorizeGroup DEFAULT  deny .*
	BindAddress 144.211.2.97
	GroupCacheFile %L/radiator-tacacs-usergroup.cache
	GroupMemberAttr tacacsgroup
	IdleTimeout 1200
	MaxBufferSize 100000
	PasswordPrompt Password:
	Port 49
	SingleSession 1
	UsernamePrompt Username:
	
	<Log FILE>
		
		Filename %L/tacacs.log
		Trace 4
	</Log>
</ServerTACACSPLUS>



Dennis Qiu
Information Systems
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, NY 10017
212 450 5651   tel
dennis.qiu at davispolk.com


________________________________________________________________________________
Confidentiality Note: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy.


-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Tuesday, May 06, 2014 9:05 PM
To: Qiu, Dennis
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] How to increase session time


Hello Dennis -

The attribute you want is "Session-Timeout", although you will need to do some testing to verify that your network devices support it.

regards

Hugh


On 7 May 2014, at 08:02, Qiu, Dennis <dennis.qiu at davispolk.com> wrote:

> Support,
>  
> Our networking devices use Radiator for authentication. Many times, guys are working on the network devices and they are prompted to authenticate again. It becomes very annoying.
>  
> I am wondering what is the value of  variables I can adjust to increase the session time.
>  
> Thank you
>  
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651   tel
> dennis.qiu at davispolk.com
> <image001.jpg>
> Confidentiality Note: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy.
> 
>  
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list