Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest. I'll post back. Thanks Andy
-----Original Message----- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 18 May 2013 13:37 To: FreeRadius users mailing list Subject: Re: Help with chap Franks Andy (RLZ) IT Systems Engineer wrote: > ... It worked brilliantly in testing, but come > production, when i reboot the switch or clear the authentication on the > ports it can take up to ten minutes for 10-15 clients to authenticate, That's bad. 10-15 clients should be done in a second or so. My guess is that the ntlm_auth process is taking a *long* time. Maybe your DNS settings are broken. Set up a test server. Run it in debugging mode and see. If the authentication takes more than a second or so (wtih debug messages), something is wrong. > - Synch the content of the AD OU I have the mac address "users" in to an > SQL database, maybe using vbscript/.net, including any state information > like whether the account is disabled or expired and test against these > custom fields during authentication. That will work for MS-CHAP. Not for CHAP. > The authorisation process I > currently have running against ldap doesn't pick up the account > information being expired, maybe I need to look into this. I want to be > able ideally to feed information back following a successful > authentication to a custom attribute in AD, which is quite possible with > an SQL database as an "intermediary", for example switch and port ID, > useful stuff to know. I can't think of any native linux apps that can > change AD attributes, excluding samba doing groups and passwords, maybe > there is one? A normal LDAP client should work. > - Use ldap as an authentication method? I know that AD will never give > me back a password, but since this is mac authentication I was wondering > if in the authorisation bit of the virtual server I could update the > cleartext-password attribute based on the username as the two details > are always identical in mac based auth, and then perform authentication > with a known password. Maybe this would pick up locked usernames > instead, again not sure about MS ldap in this area, never tried. If it's MAC authentication, then FreeRADIUS can do the CHAP checking itself. And there's no point in doing *more* authentication. The only reasonable thing to do is various checks in LDAP for the MAC address. > - use nps as a proxy for the authentication. I don't really want to do > this, but nps will (I think) allow chap / AD authentication. No, it won't. It's impossible. > Any ideas which of these / other would be the right direction to follow? > Need to do this in a hurry as the next switch is rolling out soon so > don't have time to look into all of them.. Step 1: find out what's wrong with the current system. If something is broken, fix it. Don't work around the problem. That makes it worse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html