Re: How long it take to auth in 802.1X/WPA-enterprise?
Thank you very much. Your comment and advice are very helpful to understand Radius mechanism I replaced the AP(Belkin54g) with new one(DWL-8200AP, D-Link). As a result, the delay time is reduced from 18 sec to 0.15 sec I measured the time stamp the captured packet-based on Network Monitor 3.1(M$) However, I'm not sure it depends on AP's feature or not. I have already installed VMware tools in that measuring, so networking configuration is ok. Lastly, concerned with "Looking up realm", Actually, I didn't know very well about this, I just use the user name like that style. Can you explain in detail? Best. Jaejong Baek 02-365-7966 *** Message: 3 Date: Thu, 18 Feb 2010 10:02:22 + From: Alan Buxey Subject: Re: How long it take to auth in 802.1X/WPA-enterprise? To: FreeRadius users mailing list Cc: "freeradius-users-ow...@lists.freeradius.org" Message-ID: <20100218100222.ga11...@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii Hi, > How long it take to auth in 802.1X/WPA-enterprise? depends on the system and what methods etc...but easily under 1 second here > In this simple network model, I have tried to auth using > EAP-TLS(self-certification) and it works good. > By the way, about 18 seconds are taken to auth as follow debug logs. > (confer the timestamp (1) and (2)) wheres the real authentication - ie Access-Accept return packet? do you have vmware tools on your ubuntu VMware hosted system - and therefore using vmxnet driver instead of the slow pcnet32 ? (lsmod | grep vmx) turn off any non-needed modules - eg are you ever going to use /etc/passwd for user accounts? if not, comment out the unix module whenever it appears.. likewise files, expiration, logintime etc. make sure you are not going to be needign them though! ..also... > Wed Feb 17 21:37:00 2010 : Info: [suffix] Looking up realm > ".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv" > Wed Feb 17 21:37:00 2010 : Info: [suffix] No such realm ".yyy.zz.vv" are you deliberately not dealing with this realm? are you expecting it to be sent elsewhere? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How long it take to auth in 802.1X/WPA-enterprise?
Hi, > How long it take to auth in 802.1X/WPA-enterprise? depends on the system and what methods etc...but easily under 1 second here > In this simple network model, I have tried to auth using > EAP-TLS(self-certification) and it works good. > By the way, about 18 seconds are taken to auth as follow debug logs. > (confer the timestamp (1) and (2)) wheres the real authentication - ie Access-Accept return packet? do you have vmware tools on your ubuntu VMware hosted system - and therefore using vmxnet driver instead of the slow pcnet32 ? (lsmod | grep vmx) turn off any non-needed modules - eg are you ever going to use /etc/passwd for user accounts? if not, comment out the unix module whenever it appears.. likewise files, expiration, logintime etc. make sure you are not going to be needign them though! ..also... > Wed Feb 17 21:37:00 2010 : Info: [suffix] Looking up realm > ".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv" > Wed Feb 17 21:37:00 2010 : Info: [suffix] No such realm ".yyy.zz.vv" are you deliberately not dealing with this realm? are you expecting it to be sent elsewhere? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How long it take to auth in 802.1X/WPA-enterprise?
How long it take to auth in 802.1X/WPA-enterprise?
I set up 802.1X/WPA-Enterprise network simply as follows.
Free radius 2.1.8
server
ubunt on VMware
10.10.20.14
|
|EAP-TLS(wired. 802.3)
|
AP
Belkin 54g
WPA-Enterprise
Tkip
:
:EAP-TLS(wireless 802.11)
:
Client :
Laptop
Windows 7
(Self certification)
k...@.yyy.zz.vv
In this simple network model, I have tried to auth using
EAP-TLS(self-certification) and it works good.
By the way, about 18 seconds are taken to auth as follow debug logs.
(confer the timestamp (1) and (2))
...
...
Wed Feb 17 21:36:29 2010 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.10.20.14 port 3072, id=0,
length=157
User-Name = "k...@.yyy.zz.vv"
NAS-IP-Address = 10.10.20.14
Called-Station-Id = "001150624dc1"
Calling-Station-Id = "00242bc8fe6a"
NAS-Identifier = "001150624dc1"
NAS-Port = 28
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x021b016a6a624063636c61622e796f6e7365692e61632e6b72
Message-Authenticator = 0x3d4a5b810f49d3bc390d39406a300eda
Wed Feb 17 21:36:42 2010 : Info: +- entering group authorize {...}
Wed Feb 17 21:36:42 2010 : Info: ++[preprocess] returns ok
Wed Feb 17 21:36:42 2010 : Info: ++[chap] returns noop
Wed Feb 17 21:36:42 2010 : Info: ++[mschap] returns noop
Wed Feb 17 21:36:42 2010 : Info: [suffix] Looking up realm
".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv"
Wed Feb 17 21:36:42 2010 : Info: [suffix] No such realm ".yyy.zz.vv"
Wed Feb 17 21:36:42 2010 : Info: ++[suffix] returns noop
Wed Feb 17 21:36:42 2010 : Info: [eap] EAP packet type response id 0 length
27
Wed Feb 17 21:36:42 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Feb 17 21:36:42 2010 : Info: ++[eap] returns updated
Wed Feb 17 21:36:42 2010 : Info: ++[unix] returns notfound
Wed Feb 17 21:36:42 2010 : Info: ++[files] returns noop
Wed Feb 17 21:36:42 2010 : Info: ++[expiration] returns noop
Wed Feb 17 21:36:42 2010 : Info: ++[logintime] returns noop
Wed Feb 17 21:36:42 2010 : Info: [pap] WARNING! No "known good"
password found for the user. Authentication may fail because of this.
Wed Feb 17 21:36:42 2010 : Info: ++[pap] returns noop
Wed Feb 17 21:36:42 2010 : Info: Found Auth-Type = EAP
Wed Feb 17 21:36:42 2010 : Info: +- entering group authenticate {...}
Wed Feb 17 21:36:42 2010 : Info: [eap] EAP Identity
Wed Feb 17 21:36:42 2010 : Info: [eap] processing type tls
Wed Feb 17 21:36:42 2010 : Info: [tls] Requiring client certificate
Wed Feb 17 21:36:42 2010 : Info: [tls] Initiate
Wed Feb 17 21:36:42 2010 : Info: [tls] Start returned 1
Wed Feb 17 21:36:42 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.20.14 port 3072
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0x897eb023897fbdcff6383e26a1b0eb16
Wed Feb 17 21:36:42 2010 : Info: Finished request 0.
Wed Feb 17 21:36:42 2010 : Debug: Going to the next request
Wed Feb 17 21:36:42 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.20.14 port 3072, id=0,
length=157
Wed Feb 17 21:36:42 2010 : Info: Cleaning up request 0 ID 0 with timestamp
+13
User-Name = "k...@.yyy.zz.vv"
NAS-IP-Address = 10.10.20.14
Called-Station-Id = "001150624dc1"
Calling-Station-Id = "00242bc8fe6a"
NAS-Identifier = "001150624dc1"
NAS-Port = 28
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x021b016a6a624063636c61622e796f6e7365692e61632e6b72
Message-Authenticator = 0x6bba537330b0a4ceeb559fdbf62726fa
Wed Feb 17 21:36:42 2010 : Info: +- entering group authorize {...}
Wed Feb 17 21:36:42 2010 : Info: ++[preprocess] returns ok
Wed Feb 17 21:36:42 2010 : Info: ++[chap] returns noop
Wed Feb 17 21:36:42 2010 : Info: ++[mschap] returns noop
Wed Feb 17 21:36:42 2010 : Info: [suffix] Looking up realm
".yyy.zz.vv" for User-Name = "k...@.yyy.zz.vv"
Wed Feb 17 21:36:42 2010 : Info: [suffix] No such realm ".yyy.zz.vv"
Wed Feb 17 21:36:42 2010 : Info: ++[suffix] returns noop
Wed Feb 17 21:36:42 2010 : Info: [eap] EAP packet type response id 0 length
27
Wed Feb 17 21:36:42 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Feb 17 21:36:42 2010 : Info: ++[eap] returns updated
Wed Feb 17 21:36:42 2010 : Info: ++[unix] returns notfound
Wed Feb 17 21:36:42 2010 : Info: ++[files] returns noop
Wed Feb 17 21:36:42 2010 : Info: ++[expiration] returns noop
Wed Feb 17 21:36:42 2010 : Info: ++[logintime] returns noop
Wed Feb 17 21:36:42 2010 : Info: [pap] WARNING! No "known good&qu
