Hello Dennis -
If you want different values for your different user groups, you would put
something like this in your AuthBy LSA clauses:
…..
# Session-Timeout = nnn
# where nnn is the number of seconds
# netadmin
<AuthBy LSA>
AddToReply Session-Timeout = nnn
…..
</AuthBy>
# users
<AuthBy LSA>
AddToReply Session-Timeout = nnn
…..
</AuthBy>
…..
Otherwise if you want the same one for both groups you can do this instead:
…..
<AuthBy GROUP>
AddToReply Session-Timeout = nnn
…..
</AuthBy>
…..
BTW - I am located in Australia, so no need to send your email twice.
regards
Hugh
On 8 May 2014, at 06:35, Qiu, Dennis <[email protected]> wrote:
> Hugh,
>
> Can you let me know where I can put Session-Timeout attribute in my
> radius.cfg file?
>
> Thank you
>
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651 tel
> [email protected]
>
>
> ________________________________________________________________________________
> Confidentiality Note: This email is intended only for the person or entity to
> which it is addressed and may contain information that is privileged,
> confidential or otherwise protected from disclosure. Unauthorized use,
> dissemination, distribution or copying of this email or the information
> herein or taking any action in reliance on the contents of this email or the
> information herein, by anyone other than the intended recipient, or an
> employee or agent responsible for delivering the message to the intended
> recipient, is strictly prohibited. If you have received this email in error,
> please notify the sender immediately and destroy the original message, any
> attachments thereto and all copies. Please refer to the firm's privacy policy
> located at www.davispolk.com for important information on this policy.
>
>
> -----Original Message-----
> From: Qiu, Dennis
> Sent: Tuesday, May 06, 2014 9:15 PM
> To: 'Hugh Irvine'
> Cc: [email protected]
> Subject: RE: [RADIATOR] How to increase session time
>
> Hugh,
>
> I only see sessiontime in my HTTP session. That session is not used by
> network device.
>
> I do not see such attribute as "Session-Timeout". Do I need to add this
> attribute into radius.cfg file? If I need to add, where I should add.
>
> Following is my radius.cfg. Can you advise?
>
> Thank you
>
> #######################################################################################
> # windows.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with # a simple system
> on Windows. You can then add and change features.
> # We suggest you start simple, prove to yourself that it # works and then
> develop a more complicated configuration.
> #
> # This example is expected to be installed in
> # c:\Program Files\Radiator\radius.cfg
> # It will authenticate from a standard users file in
> # c:\Program Files\Radiator\users
> # it will log debug and other messages to
> # c:\Program Files\Radiator\logfile
> # and log accounting to a file in
> # c:\Program Files\Radiator\detail
> # (of course you can change all these by editing this config file if you
> wish) # # It will accept requests from any client and try to handle requests
> # for any realm.
> # And it will print out what its doing in great detail to the log file.
> #
> # See radius.cfg for more complete examples of features and # syntax, and
> refer to the reference manual for a complete description # of all the
> features and syntax.
> #
> # You should consider this file to be a starting point only # $Id:
> windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
>
> AcctPort 1646,1813
> AuthPort 1645,1812
> BindAddress 144.211.2.97
> #BindAddress 0.0.0.0
> DbDir c:/Program Files/Radiator
> DictionaryFile %D/dictionary
> Foreground 1
> LogDir c:/Program Files/Radiator/Logs
> #LogFile logfile
> LogStdout 1
>
> MaxChildren 0
> PidFile %L/radiusd.pid
> PmwhoProg /usr/local/sbin/pmwho
> SnmpNASErrorTimeout 60
> SnmpgetProg /usr/bin/snmpget
> SnmpsetProg /usr/bin/snmpset
> SnmpwalkProg /usr/bin/snmpwalk
> Trace 4
>
> <Client DEFAULT>
> DupInterval 0
> FramedGroupMaxPortsPerClassC 255
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> SNMPCommunity 450dpw$
> Secret mysecret
> </Client>
>
> <Handler NAS-Identifier=TACACS>
> AuthByPolicy ContinueWhileIgnore
>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilAccept
> CachePasswordExpiry 86400
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_MaxFragmentSize 2048
> EAPTLS_PEAPVersion 0
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> Identifier GetUser
> PasswordPrompt password
> SIPDigestRealm DefaultSipRealm
>
> <AuthBy LSA>
> AddToReply tacacsgroup = netadmin
> CachePasswordExpiry 86400
> Domain ad.dpw.com
> DomainController server1
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_MaxFragmentSize 2048
> EAPTLS_PEAPVersion 0
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> EAPType MSCHAP-V2
> Group networking_staff
> NoDefault 1
> Origin Radiator
> PasswordPrompt password
> ProcessName IAS
> SIPDigestRealm DefaultSipRealm
> Source Radiator
> UsernameMatchesWithoutRealm 1
> Workstation
> </AuthBy>
>
> <AuthBy LSA>
> AddToReply tacacsgroup = users
> CachePasswordExpiry 86400
> Domain ad.dpw.com
> DomainController dcny003
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_MaxFragmentSize 2048
> EAPTLS_PEAPVersion 0
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> EAPType MSCHAP-V2
> Group networking_guest
> NoDefault 1
> Origin Radiator
> PasswordPrompt password
> ProcessName IAS
> SIPDigestRealm DefaultSipRealm
> Source Radiator
> UsernameMatchesWithoutRealm 1
> Workstation
> </AuthBy>
> </AuthBy>
> </Handler>
>
> <ServerHTTP >
> AuditTrail %D/audit.txt
> AuthByPolicy ContinueWhileIgnore
> BindAddress 144.211.2.97
> DefaultPrivilegeLevel 15
> LogMaxLines 500
> MaxBufferSize 10000000
> Password xxxxxxxxxx
> Port 9048
> Protocol tcp
> SessionTimeout 3600
> TLS_ExpectedPeerName .+
> Trace 3
> Username administrator
>
> <AuthLog FILE>
> FailureFormat %l:%U:%P:FAIL
> Filename %L/weblog
> LogFailure 1
> LogSuccess 0
> SuccessFormat %l:%U:%P:OK
> </AuthLog>
> </ServerHTTP>
>
> <Realm DEFAULT>
> PreProcessingHook file:"c:\program files\radiator\createavpairs.pl"
> #<AuthBy INTERNAL>
> # DefaultResult REJECT
> # AcctResult ACCEPT
> #</AuthBy>
> # AcctLogFileName accounting-log
> AcctLogFileName %L/%d%m%Ylogfile
> AcctLogFileFormat %l:%{User-Name}:%{cisco-cmd}
>
> #AddToRequest Request-Type=Accounting-Request
> #AcctLogFileName %D/acct.log
> AuthByPolicy ContinueWhileIgnore
> AuthBy GetUser
>
> <AuthBy FILE>
> CachePasswordExpiry 86400
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_MaxFragmentSize 2048
> EAPTLS_PEAPVersion 0
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> Filename %D/users
> PasswordPrompt password
> SIPDigestRealm DefaultSipRealm
> </AuthBy>
> </Realm>
>
> <ServerTACACSPLUS >
> AddToRequest NAS-Identifier=TACACS
> AuthorizationTimeout 1200
> AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15}
> AuthorizeGroup netadmin permit .*
> AuthorizeGroup users permit service=shell cmd\* {priv-lvl=1}
> AuthorizeGroup users permit .*
> AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=0}
> AuthorizeGroup DEFAULT deny .*
> BindAddress 144.211.2.97
> GroupCacheFile %L/radiator-tacacs-usergroup.cache
> GroupMemberAttr tacacsgroup
> IdleTimeout 1200
> MaxBufferSize 100000
> PasswordPrompt Password:
> Port 49
> SingleSession 1
> UsernamePrompt Username:
>
> <Log FILE>
>
> Filename %L/tacacs.log
> Trace 4
> </Log>
> </ServerTACACSPLUS>
>
>
>
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651 tel
> [email protected]
>
>
> ________________________________________________________________________________
> Confidentiality Note: This email is intended only for the person or entity to
> which it is addressed and may contain information that is privileged,
> confidential or otherwise protected from disclosure. Unauthorized use,
> dissemination, distribution or copying of this email or the information
> herein or taking any action in reliance on the contents of this email or the
> information herein, by anyone other than the intended recipient, or an
> employee or agent responsible for delivering the message to the intended
> recipient, is strictly prohibited. If you have received this email in error,
> please notify the sender immediately and destroy the original message, any
> attachments thereto and all copies. Please refer to the firm's privacy policy
> located at www.davispolk.com for important information on this policy.
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:[email protected]]
> Sent: Tuesday, May 06, 2014 9:05 PM
> To: Qiu, Dennis
> Cc: [email protected]
> Subject: Re: [RADIATOR] How to increase session time
>
>
> Hello Dennis -
>
> The attribute you want is "Session-Timeout", although you will need to do
> some testing to verify that your network devices support it.
>
> regards
>
> Hugh
>
>
> On 7 May 2014, at 08:02, Qiu, Dennis <[email protected]> wrote:
>
>> Support,
>>
>> Our networking devices use Radiator for authentication. Many times, guys are
>> working on the network devices and they are prompted to authenticate again.
>> It becomes very annoying.
>>
>> I am wondering what is the value of variables I can adjust to increase the
>> session time.
>>
>> Thank you
>>
>> Dennis Qiu
>> Information Systems
>> Davis Polk & Wardwell LLP
>> 450 Lexington Avenue
>> New York, NY 10017
>> 212 450 5651 tel
>> [email protected]
>> <image001.jpg>
>> Confidentiality Note: This email is intended only for the person or entity
>> to which it is addressed and may contain information that is privileged,
>> confidential or otherwise protected from disclosure. Unauthorized use,
>> dissemination, distribution or copying of this email or the information
>> herein or taking any action in reliance on the contents of this email or the
>> information herein, by anyone other than the intended recipient, or an
>> employee or agent responsible for delivering the message to the intended
>> recipient, is strictly prohibited. If you have received this email in error,
>> please notify the sender immediately and destroy the original message, any
>> attachments thereto and all copies. Please refer to the firm's privacy
>> policy located at www.davispolk.com for important information on this policy.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> [email protected]
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> [email protected]
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS,
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
