-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Artur is right. This was a problem previously seen by one AP vendor with whom I talk, which affected both Microsoft's IAS and Funk's Steel Belted RADIUS servers. The session-timeout returned by default by those was very low and caused repeated authentication which dramatically reduced the perceived throughput. I found that explicitly setting the session-timeout value for MAC authenticated users dramatically improved things. It is possible that such an explicit session-timeout is required for users authenticating using TLS?
As Artur said, nothing to do with the supplicant (those bring their own problems ;-). Apologies for the confusion. Regards, Guy > -----Original Message----- > From: Artur Hecker [mailto:[EMAIL PROTECTED] > Sent: 26 September 2003 13:50 > To: [EMAIL PROTECTED] > Subject: Re: WPA w/ EAP-TLS against 0.8.1 > > > that is the response i kind of feared. sorry, that's nonsense. > > in that case the whole story has nothing to do with the respective > supplicant, since it simply NEVER gets in touch with Radius > attributes. > that would be the problem of the AP and NOT of the supplicant as > you pointed out. > > > ciao > artur > > > Guy Davies wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Artur, > > > > You don't :-) You set the session-timeout in the RADIUS reply. > > > > Regards, > > > > Guy > > > > > >>-----Original Message----- > >>From: Artur Hecker [mailto:[EMAIL PROTECTED] > >>Sent: 26 September 2003 12:56 > >>To: [EMAIL PROTECTED] > >>Subject: Re: WPA w/ EAP-TLS against 0.8.1 > >> > >> > >>hi Guy! > >> > >> > >>how can you change the session time in windows? > >> > >>thanks, > >>artur > >> > >> > >> > >> > >>Guy Davies wrote: > >> > >> > >>> > >>>-----BEGIN PGP SIGNED MESSAGE----- > >>>Hash: SHA1 > >>> > >>>Hi Ian, > >>> > >>>I've seen something like this when doing MAC > authentication. It was > >>>actually a "feature" of the WinXP/Win2k supplicant which > >> > >>defaults the > >> > >>>session time to about 6 seconds! If I explicitly set the > >> > >>session time to be > >> > >>>something more useful (1800 seconds is good) then > >> > >>everything was happy. > >> > >>>Sorry if this is totally unrelated but I thought it might help. > >>> > >>>Regards, > >>> > >>>Guy > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: Ian Pritchard [mailto:[EMAIL PROTECTED] > >>>>Sent: 26 September 2003 11:42 > >>>>To: [EMAIL PROTECTED] > >>>>Subject: WPA w/ EAP-TLS against 0.8.1 > >>>> > >>>> > >>>> > >>>>Hi, > >>>> > >>>>We're running FreeRADIUS version 0.8.1, and have been trying out > >>>>authentication using a couple of "WPA-capable" 802.11 APs and > >>>>PCMCIA cards > >>>>on laptops, with EAP-TLS and certs. > >>>> > >>>>We've tried a matrix of the following: > >>>> > >>>>Laptops > >>>>- Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client > >>>>- WinXP > >>>>- EAP-TLS certs installed > >>>> > >>>>PCMCIA cards > >>>>- Linksys WPC54G > >>>>- SMC2635W > >>>> > >>>>APs > >>>>- Linksys WRT54G > >>>>- SMC2804WBR > >>>>- Cisco AP340 > >>>> > >>>>All devices running latest possible drivers. > >>>> > >>>>Before testing WPA we were running the Cisco AP340 and the > >>>>Win2K 802.1x auth > >>>>patch, plus XP. > >>>> > >>>>Running either of the two PCMCIA cards, on either the Win2K > >>>>or WinXP laptop, > >>>>via the Linksys WRT54G AP, we see behaviour where the AP > >>>>initiates access > >>>>request to the FreeRADIUS server, the process runs through as > >>>>normal, the > >>>>access accept is sent to the AP, but it then immediately starts > >>>>authentication again, and you run through the whole process > >>>>repeatedly, > >>>>starting again immediately after the accept is sent. Nothing > >>>>seems abnormal > >>>>if running FreeRADIUS in debug mode. With the Funk Odyssey > >>>>client running on > >>>>Win2K the behaviour is the same. > >>>> > >>>>Using the SMC AP, things are more interesting. The SMC AP's > >> > >>web-based > >> > >>>>control interface has a "security" main menu, with 802.1x as > >>>>a sub-menu. If > >>>>you turn the main security to "WPA/TKIP w/ RADIUS", then the > >>>>behaviour is as > >>>>with the Linksys above. However, if you turn it to "No > >>>>Encryption" (so not > >>>>even WEP enabled according to its interface), but leave the > >>>>"enable 802.1x" > >>>>turned on in the sub-menu, authentication takes place as > >>>>normal. The SMC > >>>>client card has client manager software, and if you turn on > >>>>WPA on the AP, > >>>>then the client manager shows a "key" symbol (presumably > >>>>denoting some kind > >>>>of security) next to the AP, but if you turn off encryption > >>>>and leave 802.1x > >>>>turned on, the key goes away. > >>>> > >>>>The Cisco AP doesn't have WPA but will do 802.1x as before. > >>>> > >>>>We're having trouble reaching a conclusion here (partly > >> > >>because it's > >> > >>>>difficult to tell what's happening), and certainly don't > >>>>think we've got any > >>>>"WPA" AP/client combination working with WPA/Radius. We had > >>>>thought that, > >>> > >>>>from an authentication perspective, there was no difference > >>> > >>>>between 802.1x > >>>>and WPA. > >>>> > >>>>Has anyone else managed to get WPA APs and clients > running against > >>>>FreeRADIUS using EAP-TLS? > >>>> > >>>> > >>>>Many thanks, > >>>> > >>>> > >>>>Ian > >>>> > >>>>_________________________________________________________________ > >>>>Help protect your PC. Get a FREE computer virus scan online > >>> > >>>>from McAfee. > >>> > >>>>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > >>>> > >>>> > >>>>- > >>>>List info/subscribe/unsubscribe? See > >>> > >>>http://www.freeradius.org/list/users.html > >>> > >>>-----BEGIN PGP SIGNATURE----- > >>>Version: PGP 8.0 > >>> > >>>iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N > >>>1NaRCSe7TQUC9g9L4sj3gFhS > >>>=yiwB > >>>-----END PGP SIGNATURE----- > >>> > >>> > >>> > >>>30th Telindus International Symposium > >>>Thursday, October 30, 2003 - Brussels Expo, Belgium > >>> > >>>Check out the complete conference programme, exhibition, > >>>workshops and register now for this high value'must attend' event! > >>> > >>>http://www.telindussymposium.com > >>><<< > >>> > >>> > >>> > >>>- > >>>List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > - - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 8.0 > > > > iQA/AwUBP3Q0pI3dwu/Ss2PCEQK/ZQCffwWnxmOll5CFxxDegAlDwNlaNjYAoNEo > > GSmsMRRmN+Cj5MnwYPgSpJce > > =9E/H > > -----END PGP SIGNATURE----- > > > > > > > > 30th Telindus International Symposium > > Thursday, October 30, 2003 - Brussels Expo, Belgium > > > > Check out the complete conference programme, exhibition, > > workshops and register now for this high value'must attend' event! > > > > http://www.telindussymposium.com > > <<< > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP3RBLY3dwu/Ss2PCEQKtDACgoSnPy+11p6NfW0jYoguGRtc54zAAoItC EHrTlrxWE+3Uvb4NT7WXoaRV =9UIo -----END PGP SIGNATURE----- >>> 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
