Re: [RADIATOR] Performance logging
Hi, > Somewhat yes, I get the idea of anonymizing user’s identity with PEAP, but > for example with demo test certificates bundled with Radiator, PEAP-TLS > takes 15 rounds for a single EAP authentication. well, PEAP itself takes around 12-14 rounds - the EAP-TLS part is short. however, unless the client is correctly configured it will do the PEAP part with any RADIUS server that has a CA the client knows (hello any of those public CAs) - and thus will provide that server with the clients public-component TLS cert alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hi,
> On 04 Apr 2016, at 11:24, Hartmaier Alexander
> wrote:
>
> On 2016-03-30 15:10, Tuure Vartiainen wrote:
>>
>>> On 30 Mar 2016, at 14:55, Hartmaier Alexander
>>> wrote:
>>>
>>> we use PEAP-TLS, EAP-PEAP as outer EAP type with EAP-TLS as inner.
>>> Not sure if the outher EAP-PEAP adds any real security as the Radiator
>>> cert is the same one for both types as it only hides the transmission of
>>> the user cert which can be classified like a public key imho.
>>>
>> Ack.
> Would you say that using PEAP-TLS for both wired and wireless auth is
> overkill even when both are considered sniffable?
>
Somewhat yes, I get the idea of anonymizing user’s identity with PEAP, but
for example with demo test certificates bundled with Radiator, PEAP-TLS
takes 15 rounds for a single EAP authentication.
>>
>> We’ll add a feature, which will allow the total time along with an on-demand
>> timing to be used through %{...} special format in AuthLogs etc.
> Thanks! Please inform me when it has landed in the patches.
>
Yes, I’ll reply here.
BR
--
Tuure Vartiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hi,
On 2016-03-30 15:10, Tuure Vartiainen wrote:
> Hi,
>
>> On 30 Mar 2016, at 14:55, Hartmaier Alexander
>> wrote:
>>
>> we use PEAP-TLS, EAP-PEAP as outer EAP type with EAP-TLS as inner.
>> Not sure if the outher EAP-PEAP adds any real security as the Radiator
>> cert is the same one for both types as it only hides the transmission of
>> the user cert which can be classified like a public key imho.
>>
> Ack.
Would you say that using PEAP-TLS for both wired and wireless auth is
overkill even when both are considered sniffable?
>
>> I've already tuned the EAPTLS_MaxFragmentSize to have as few roundtrips
>> as possible (1350 for the outer PEAP and 1300 for the inner EAP-TLS).
>>
> Yes, unfortunately beside that the only real option to minimize a delay of an
> EAP authentication is to
> minimize the round-trips either by sending less certificate data or
> by using an EAP method with fewer rounds.
>
>> You see how I calculate the response_time in my email yesterday.
>>
> $p->{RecvTime} is set with a time of receive when an Access-Request is
> received, so
>
> $message->{response_time} = Radius::Util::timeInterval(
> $p->{RecvTime},
> $p->{RecvTimeMicros}, Radius::Util::getTimeHires());
>
> will calculate a response time only for that Access-Request.
>
>
> When running Radiator with Trace 4 or 5, a total time for an EAP
> authentication can be seen in the log.
>
> E.g.
>
> Wed Mar 30 12:55:58 2016 816812: DEBUG: EAP Success, elapsed time 0.71221
>
> We’ll add a feature, which will allow the total time along with an on-demand
> timing to be used through %{...} special format in AuthLogs etc.
Thanks! Please inform me when it has landed in the patches.
>
>
> BR
BR
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
