TTLS authentication slow

Allan Riordan Boll s062417 at student.dtu.dk
Tue Nov 13 14:59:03 CET 2007 

Hi,

I'm new to Freeradius, and the concepts behind Radius and network
security in general also, so I'm not sure if this is normal or not. I've
configured Freeradius so that I can authenticate Windows XP clients on
our wireless network through a Linux server's /etc/passwd file.

The problem is that authenticating takes around 20 seconds. While
running the server in a terminal with the -X flag, I see that my Windows
XP client first makes one TLS request, then waits ~20 seconds, then
makes two more TLS requests and four TTLS requests all together taking
less than one second. After these last six requests the client is
immediately online.

Can anyone hint me on why the client waits for so long before doing the
requests it needs? Is my Freeradius server erroneously defaulting the
client to use TLS instead of TTLS, and confusing the client?

I've written a radiusd.conf from scratch, so that the server only runs
the modules I actually use, hoping this is safer and easier to
administrate. Please feedback if anyone have any comments on this
approach. Note that the problem described above is also a there with the
huge bundled stock configuration file. The configuration is as follows:

#####################################################################
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
checkrad = "/usr/sbin/checkrad"
pidfile = "/var/run/radiusd/radiusd.pid"
max_requests = 2048
bind_address = *
cleanup_delay = 2
user = radiusd
group = radiusd

security {
	max_attributes = 200
	reject_delay = 1
	status_server = no
}

thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}

modules {
	unix {
	}

	pap {
	}

	eap {
		default_eap_type = ttls

		tls {
			private_key_file = /etc/raddb/server.tld.pem
			certificate_file = /etc/raddb/server.tld.pem
			CA_file = /etc/raddb/server.tld.pem
			dh_file = /etc/raddb/dh
			random_file = /etc/raddb/random
			fragment_size = 1024
			include_length = yes
		}

		ttls {
		}
	}

	files {
		usersfile = /etc/raddb/users
		acctusersfile = /etc/raddb/acct_users
		preproxy_usersfile = /etc/raddb/preproxy_users
		compat = no
	}
}


authorize {
	eap
	files
}

authenticate {
	Auth-Type PAP {
		pap
	}
	unix
	eap
}

client x.x.x.x {
	secret = xxxx
	shortname = accesspoint01
	nastype = other
}
#####################################################################

Any hints greatly appreciated! Thank you very much :-)

Regards,
Allan Boll - student and network administrator at a dorm ;-)

More information about the Freeradius-Users mailing list