Re: How long it take to auth in 802.1X/WPA-enterprise?
Thank you very much. Your comment and advice are very helpful to understand Radius mechanism I replaced the AP(Belkin54g) with new one(DWL-8200AP, D-Link). As a result, the delay time is reduced from 18 sec to 0.15 sec I measured the time stamp the captured packet-based on Network Monitor 3.1(M$) However, I'm not sure it depends on AP's feature or not. I have already installed VMware tools in that measuring, so networking configuration is ok. Lastly, concerned with "Looking up realm", Actually, I didn't know very well about this, I just use the user name like that style. Can you explain in detail? Best. Jaejong Baek 02-365-7966 *** Message: 3 Date: Thu, 18 Feb 2010 10:02:22 + From: Alan Buxey Subject: Re: How long it take to auth in 802.1X/WPA-enterprise? To: FreeRadius users mailing list Cc: "freeradius-users-ow...@lists.freeradius.org" Message-ID: <20100218100222.ga11...@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii Hi, > How long it take to auth in 802.1X/WPA-enterprise? depends on the system and what methods etc...but easily under 1 second here > In this simple network model, I have tried to auth using > EAP-TLS(self-certification) and it works good. > By the way, about 18 seconds are taken to auth as follow debug logs. > (confer the timestamp (1) and (2)) wheres the real authentication - ie Access-Accept return packet? do you have vmware tools on your ubuntu VMware hosted system - and therefore using vmxnet driver instead of the slow pcnet32 ? (lsmod | grep vmx) turn off any non-needed modules - eg are you ever going to use /etc/passwd for user accounts? if not, comment out the unix module whenever it appears.. likewise files, expiration, logintime etc. make sure you are not going to be needign them though! ..also... > Wed Feb 17 21:37:00 2010 : Info: [suffix] Looking up realm > ".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv" > Wed Feb 17 21:37:00 2010 : Info: [suffix] No such realm ".yyy.zz.vv" are you deliberately not dealing with this realm? are you expecting it to be sent elsewhere? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How long it take to auth in 802.1X/WPA-enterprise?
Hi, > How long it take to auth in 802.1X/WPA-enterprise? depends on the system and what methods etc...but easily under 1 second here > In this simple network model, I have tried to auth using > EAP-TLS(self-certification) and it works good. > By the way, about 18 seconds are taken to auth as follow debug logs. > (confer the timestamp (1) and (2)) wheres the real authentication - ie Access-Accept return packet? do you have vmware tools on your ubuntu VMware hosted system - and therefore using vmxnet driver instead of the slow pcnet32 ? (lsmod | grep vmx) turn off any non-needed modules - eg are you ever going to use /etc/passwd for user accounts? if not, comment out the unix module whenever it appears.. likewise files, expiration, logintime etc. make sure you are not going to be needign them though! ..also... > Wed Feb 17 21:37:00 2010 : Info: [suffix] Looking up realm > ".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv" > Wed Feb 17 21:37:00 2010 : Info: [suffix] No such realm ".yyy.zz.vv" are you deliberately not dealing with this realm? are you expecting it to be sent elsewhere? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How long it take to auth in 802.1X/WPA-enterprise?
How long it take to auth in 802.1X/WPA-enterprise? I set up 802.1X/WPA-Enterprise network simply as follows. Free radius 2.1.8 server ubunt on VMware 10.10.20.14 | |EAP-TLS(wired. 802.3) | AP Belkin 54g WPA-Enterprise Tkip : :EAP-TLS(wireless 802.11) : Client : Laptop Windows 7 (Self certification) k...@.yyy.zz.vv In this simple network model, I have tried to auth using EAP-TLS(self-certification) and it works good. By the way, about 18 seconds are taken to auth as follow debug logs. (confer the timestamp (1) and (2)) ... ... Wed Feb 17 21:36:29 2010 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.10.20.14 port 3072, id=0, length=157 User-Name = "k...@.yyy.zz.vv" NAS-IP-Address = 10.10.20.14 Called-Station-Id = "001150624dc1" Calling-Station-Id = "00242bc8fe6a" NAS-Identifier = "001150624dc1" NAS-Port = 28 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021b016a6a624063636c61622e796f6e7365692e61632e6b72 Message-Authenticator = 0x3d4a5b810f49d3bc390d39406a300eda Wed Feb 17 21:36:42 2010 : Info: +- entering group authorize {...} Wed Feb 17 21:36:42 2010 : Info: ++[preprocess] returns ok Wed Feb 17 21:36:42 2010 : Info: ++[chap] returns noop Wed Feb 17 21:36:42 2010 : Info: ++[mschap] returns noop Wed Feb 17 21:36:42 2010 : Info: [suffix] Looking up realm ".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv" Wed Feb 17 21:36:42 2010 : Info: [suffix] No such realm ".yyy.zz.vv" Wed Feb 17 21:36:42 2010 : Info: ++[suffix] returns noop Wed Feb 17 21:36:42 2010 : Info: [eap] EAP packet type response id 0 length 27 Wed Feb 17 21:36:42 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Feb 17 21:36:42 2010 : Info: ++[eap] returns updated Wed Feb 17 21:36:42 2010 : Info: ++[unix] returns notfound Wed Feb 17 21:36:42 2010 : Info: ++[files] returns noop Wed Feb 17 21:36:42 2010 : Info: ++[expiration] returns noop Wed Feb 17 21:36:42 2010 : Info: ++[logintime] returns noop Wed Feb 17 21:36:42 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Feb 17 21:36:42 2010 : Info: ++[pap] returns noop Wed Feb 17 21:36:42 2010 : Info: Found Auth-Type = EAP Wed Feb 17 21:36:42 2010 : Info: +- entering group authenticate {...} Wed Feb 17 21:36:42 2010 : Info: [eap] EAP Identity Wed Feb 17 21:36:42 2010 : Info: [eap] processing type tls Wed Feb 17 21:36:42 2010 : Info: [tls] Requiring client certificate Wed Feb 17 21:36:42 2010 : Info: [tls] Initiate Wed Feb 17 21:36:42 2010 : Info: [tls] Start returned 1 Wed Feb 17 21:36:42 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 10.10.20.14 port 3072 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x897eb023897fbdcff6383e26a1b0eb16 Wed Feb 17 21:36:42 2010 : Info: Finished request 0. Wed Feb 17 21:36:42 2010 : Debug: Going to the next request Wed Feb 17 21:36:42 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.20.14 port 3072, id=0, length=157 Wed Feb 17 21:36:42 2010 : Info: Cleaning up request 0 ID 0 with timestamp +13 User-Name = "k...@.yyy.zz.vv" NAS-IP-Address = 10.10.20.14 Called-Station-Id = "001150624dc1" Calling-Station-Id = "00242bc8fe6a" NAS-Identifier = "001150624dc1" NAS-Port = 28 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021b016a6a624063636c61622e796f6e7365692e61632e6b72 Message-Authenticator = 0x6bba537330b0a4ceeb559fdbf62726fa Wed Feb 17 21:36:42 2010 : Info: +- entering group authorize {...} Wed Feb 17 21:36:42 2010 : Info: ++[preprocess] returns ok Wed Feb 17 21:36:42 2010 : Info: ++[chap] returns noop Wed Feb 17 21:36:42 2010 : Info: ++[mschap] returns noop Wed Feb 17 21:36:42 2010 : Info: [suffix] Looking up realm ".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv" Wed Feb 17 21:36:42 2010 : Info: [suffix] No such realm ".yyy.zz.vv" Wed Feb 17 21:36:42 2010 : Info: ++[suffix] returns noop Wed Feb 17 21:36:42 2010 : Info: [eap] EAP packet type response id 0 length 27 Wed Feb 17 21:36:42 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Feb 17 21:36:42 2010 : Info: ++[eap] returns updated Wed Feb 17 21:36:42 2010 : Info: ++[unix] returns notfound Wed Feb 17 21:36:42 2010 : Info: ++[files] returns noop Wed Feb 17 21:36:42 2010 : Info: ++[expiration] returns noop Wed Feb 17 21:36:42 2010 : Info: ++[logintime] returns noop Wed Feb 17 21:36:42 2010 : Info: [pap] WARNING! No "known good&qu