RADIUS Defined Session Timeout

Zyxel_Claudia
Zyxel_Claudia Posts: 81  Zyxel Employee
First Comment Friend Collector Second Anniversary

The Firmware 4.90 update for Zyxel switches introduces RADIUS-defined session timeout, providing administrators greater control over how long authenticated clients remain connected before they need to re-authenticate. This feature allows session timeouts to be managed either through the RADIUS server or locally on the switch, giving flexibility to align with specific network security policies.

What is RADIUS Defined Session Timeout?

The RADIUS Defined Session Timeout feature allows network administrators to set session expiration times for connected clients. When a session timeout is reached, the client must re-authenticate to regain access to the network. This feature is managed through RADIUS attributes and can enforce re-authentication for either 802.1X or MAC-based authentication methods.

Key Attributes Used in RADIUS Defined Session Timeout:

  1. Session Timeout: Specifies how long a client session can remain authenticated before needing to re-authenticate.
  2. Termination Action: Defines what happens when the session timeout expires. The RADIUS server can request re-authentication, or the switch can maintain the session as if re-authentication is unnecessary.

How RADIUS Defined Session Timeout Works

When a device connects to the network through a Zyxel switch with RADIUS authentication:

  1. Session Timeout is Defined: The RADIUS server specifies a session timeout value (e.g., 600 seconds). After this period, the client session expires.
  2. Termination Action Controls Re-Authentication:
    • Default (Re-authentication Off): The client session remains active without requiring re-authentication.
    • RADIUS Request (Re-authentication On): The client must re-authenticate by re-entering credentials or submitting the MAC address for validation.

If no session timeout or termination action is defined on the RADIUS server, the switch defaults to its local settings.

Examples of Session Timeout and Termination Action Configurations

  1. Example 1: Session Timeout with No Re-authentication
    • RADIUS Configuration:
      • Session Timeout: 600 seconds
      • Termination Action: Default (Re-authentication off)
    • Outcome: After 600 seconds, the client remains connected without re-authenticating.
  2. Example 2: Session Timeout with Required Re-authentication
    • RADIUS Configuration:
      • Session Timeout: 1200 seconds
      • Termination Action: RADIUS Request (Re-authentication on)
    • Outcome: After 1200 seconds, the client must re-authenticate to continue network access.
  3. Example 3: Using Local Switch Settings
    • RADIUS Configuration: No timeout or termination action set.
    • Switch Local Settings:
      • Re-authentication Time: 3600 seconds
    • Outcome: The switch uses its local setting, requiring the client to re-authenticate every 3600 seconds.

How to Verify Configuration on the Switch

To verify the session timeout and re-authentication settings on a Zyxel switch:

Check Configuration via CLI:

  1. Run commands to check configuration: show port-access-authenticator [port number].

Summary

The RADIUS Defined Session Timeout feature in Zyxel Firmware 4.90 allows administrators to control session duration and re-authentication policies with precision. By specifying timeout and re-authentication settings on the RADIUS server, administrators can ensure a secure and compliant network environment tailored to organizational requirements.