Re: [RADIATOR] Performance logging
Hi, > Somewhat yes, I get the idea of anonymizing user’s identity with PEAP, but > for example with demo test certificates bundled with Radiator, PEAP-TLS > takes 15 rounds for a single EAP authentication. well, PEAP itself takes around 12-14 rounds - the EAP-TLS part is short. however, unless the client is correctly configured it will do the PEAP part with any RADIUS server that has a CA the client knows (hello any of those public CAs) - and thus will provide that server with the clients public-component TLS cert alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hi, > On 04 Apr 2016, at 11:24, Hartmaier Alexander > wrote: > > On 2016-03-30 15:10, Tuure Vartiainen wrote: >> >>> On 30 Mar 2016, at 14:55, Hartmaier Alexander >>> wrote: >>> >>> we use PEAP-TLS, EAP-PEAP as outer EAP type with EAP-TLS as inner. >>> Not sure if the outher EAP-PEAP adds any real security as the Radiator >>> cert is the same one for both types as it only hides the transmission of >>> the user cert which can be classified like a public key imho. >>> >> Ack. > Would you say that using PEAP-TLS for both wired and wireless auth is > overkill even when both are considered sniffable? > Somewhat yes, I get the idea of anonymizing user’s identity with PEAP, but for example with demo test certificates bundled with Radiator, PEAP-TLS takes 15 rounds for a single EAP authentication. >> >> We’ll add a feature, which will allow the total time along with an on-demand >> timing to be used through %{...} special format in AuthLogs etc. > Thanks! Please inform me when it has landed in the patches. > Yes, I’ll reply here. BR -- Tuure Vartiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hi, On 2016-03-30 15:10, Tuure Vartiainen wrote: > Hi, > >> On 30 Mar 2016, at 14:55, Hartmaier Alexander >> wrote: >> >> we use PEAP-TLS, EAP-PEAP as outer EAP type with EAP-TLS as inner. >> Not sure if the outher EAP-PEAP adds any real security as the Radiator >> cert is the same one for both types as it only hides the transmission of >> the user cert which can be classified like a public key imho. >> > Ack. Would you say that using PEAP-TLS for both wired and wireless auth is overkill even when both are considered sniffable? > >> I've already tuned the EAPTLS_MaxFragmentSize to have as few roundtrips >> as possible (1350 for the outer PEAP and 1300 for the inner EAP-TLS). >> > Yes, unfortunately beside that the only real option to minimize a delay of an > EAP authentication is to > minimize the round-trips either by sending less certificate data or > by using an EAP method with fewer rounds. > >> You see how I calculate the response_time in my email yesterday. >> > $p->{RecvTime} is set with a time of receive when an Access-Request is > received, so > > $message->{response_time} = Radius::Util::timeInterval( > $p->{RecvTime}, > $p->{RecvTimeMicros}, Radius::Util::getTimeHires()); > > will calculate a response time only for that Access-Request. > > > When running Radiator with Trace 4 or 5, a total time for an EAP > authentication can be seen in the log. > > E.g. > > Wed Mar 30 12:55:58 2016 816812: DEBUG: EAP Success, elapsed time 0.71221 > > We’ll add a feature, which will allow the total time along with an on-demand > timing to be used through %{...} special format in AuthLogs etc. Thanks! Please inform me when it has landed in the patches. > > > BR BR *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator