Re: [WIRELESS-LAN] Question about WPA 802.1x
On Feb 15, 2007, at 9:43 PM, Frank Bulk wrote: FB If Fast Connect refers to the feature in IEEE 802.11i to perform pre-authentication, then yes, I can see the necessity of using the same RADIUS server between two APs. Actually, the Fast Reconnect in Windows has been around since before 802.11i was ratified (or even draft for that matter). I'm pretty sure that it actually refers to whether or not to use TLS Session Resumption, a method that allows the two parties to reauthenticate to each other by simply proving that they know the shared master secret, a method which reduces the length of the EAP conversation by more than half since certificates, etc. don't have to be exchanged. My question is how would you setup more then one IAS server and still allow Fast Reconnect across all APs? FB Depending on your WLAN infrastructure, you could configure one RADIUS server as primary and the backup one as secondary. Most APs and wireless switches/controllers have the ability to have multiple RADIUS servers configured in them, as Frank eluded to. In these cases, its simply a failover scenario where, if the primary stops responding, the AP/switch will switch to using the backup controller. Another option here is to use some sort of front-end load balance/ failover appliance, such as Zeus or something like that that's capable of talking RADIUS. In this case, you'd have a RADIUS server farm behind your proxy to handle the actual requests, and appliances such as Zeus usually have cluster capability so that they seemlessly switch to the backup unit in case of failure in one of the appliances. Another question is about load on the RADIUS server. We currently have at peak 800 users using the Wireless network. What specs for the server or servers should I use to handle this load? I'm not sure how these numbers compare to Windows and IAS, but we have FreeRADIUS running on a pair of older (circa 2004) Dell PowerEdge 650s with single 2.4GHz processors and 512MB RAM. The OS they run is Fedora Core. We have a fairly decent sized implementation (~800 APs and more coming online), and the load average on the boxes stays fairly low, even though we currently require every user to reauthenticate every 15 minutes, which keeps the RADIUS process pretty busy. I don't know that we're quite to the 50/s request state yet, but we're definitely in the ~20 RADIUS requests per second during peak times crowd. The only real overhead to 802.1x is the TLS processing for any EAP- TLS-based EAP type (EAP-TLS, PEAP, EAP-TTLS, etc), and that processing isn't that bad. So, unless your OS needs a beefy machine, 802.1x/EAP/RADIUS itself shouldn't require overly beefy hardware. --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Question about WPA 802.1x
I found this white paper on Cisco's web site about scaling their radius server. ?Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment? http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801495a1.shtml Stephen Holland Network Engineer Northeastern University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Question about WPA 802.1x
Amazing how LEAP performs so well. =) Frank _ From: Stephen Holland [mailto:[EMAIL PROTECTED] Sent: Friday, February 16, 2007 3:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Question about WPA 802.1x I found this white paper on Cisco's web site about scaling their radius server. Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09 186a00801495a1.shtml Stephen Holland Network Engineer Northeastern University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Question about WPA 802.1x
I have configured in a test environment WPA with PEAP to an ISA server. I would like to configure two RADIUS servers for fault tolerance. I was going to use PEAP with MSChapv2 with Fast Reconnect to ensure proper roaming. What I know is that Fast Reconnect only works if the 2 or more APs that the client roams to are connect to the same RADIUS server. My question is how would you setup more then one IAS server and still allow Fast Reconnect across all APs? Another question is about load on the RADIUS server. We currently have at peak 800 users using the Wireless network. What specs for the server or servers should I use to handle this load? -- Nicholas Urrea IT Department UC Hastings College of the Law [EMAIL PROTECTED] 415-565-4718 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Question about WPA 802.1x
Nick: Lots of good questions here. Responses in-line. Frank -Original Message- From: Urrea, Nick [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 7:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Question about WPA 802.1x I have configured in a test environment WPA with PEAP to an ISA server. I would like to configure two RADIUS servers for fault tolerance. I was going to use PEAP with MSChapv2 with Fast Reconnect to ensure proper roaming. What I know is that Fast Reconnect only works if the 2 or more APs that the client roams to are connect to the same RADIUS server. FB If Fast Connect refers to the feature in IEEE 802.11i to perform pre-authentication, then yes, I can see the necessity of using the same RADIUS server between two APs. My question is how would you setup more then one IAS server and still allow Fast Reconnect across all APs? FB Depending on your WLAN infrastructure, you could configure one RADIUS server as primary and the backup one as secondary. Another question is about load on the RADIUS server. We currently have at peak 800 users using the Wireless network. What specs for the server or servers should I use to handle this load? FB The numbers I've heard for RADIUS server go up to around 50 sessions per second, but it could be much lower. Both Aruba and Trapeze have EAP-offload capabilities to assist with that. Based on 800 users I wouldn't expect RADIUS performance to be a problem. -- Nicholas Urrea IT Department UC Hastings College of the Law [EMAIL PROTECTED] 415-565-4718 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
