Help with chap

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Tue May 21 08:55:54 CEST 2013


Hi again,
  Hmm, I'll need to keep my eye on it then. It may have just been having
a good day. The vm host is pretty gutsy, so I doubt processing power
would cause such an issue for it as a host. The switch is as from the
factory, just with upgraded software (to try and get rid of the issues).
A reply to the original email said they have a similar setup working ok.
Maybe I should power cycle the thing and see how long that takes to do
all the clients...

Sorry for the long sentence; midnight ramblings. In summary, the
question was:
Can I just use the authorize section to set the password to be the same
as the username, i.e. the mac address, after checking some basics like
whether the user exists in ldap and perhaps the useraccountcontrol
value, then in the authorize section just let the chap bit work on the
assigned password? 

I guess it would work but is it a bad idea? Just trying to extend my
knowledge/proper use of the tool in case i need to use chap in the
future.

thanks
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: 21 May 2013 00:21
To: FreeRadius users mailing list
Subject: Re: Help with chap

Franks Andy (RLZ) IT Systems Engineer wrote:
> Thanks for the help.
>   Anecdotally, before I get into serious discovery, I've been running 
> the freeradius process in extra debugging mode -xx. I'd read somewhere

> that -X makes it run single threaded, but along those lines of 
> thinking I wondered if -xx and the extra debug was causing any 
> performance issues. I may be off at completely the wrong tangent, but 
> the problem is interesting and I like the odd tangent..

  Single-threaded versus multiple threads doesn't usually make a big
difference.

> Anyway, anecdotally as I said, with the server running in fresh from a

> reboot, no debugging, and upping the vm to 4 core instead of 1 (just 
> playing), the problem seems vastly reduced. Nearly all clients are 
> authenticated within 10 seconds,

  Any modern CPU should be able to do 100's of EAP sessions per second.
 If yours can't do that, it was under-provisioned.  That's why adding
more CPUs helped: you gave it more CPU power.

> the consistent off ones are some
> ancient mitel voip phones with pcs running off the back, which the 
> switch simply doesn't "see" for ages. It just sits there and 
> eventually just sends an auth request. In many cases the switch "sec" 
> debug doesn't even report the mac address or any activity for this 
> weird phone, but the FR linelog shows it authenticated fine. Really
strange.

  Well, that's a switch problem.

> By the way, if I was to do chap, since I'm running ldap against AD - 
> no available plaintext or other passwords, but I'm running mac-based 
> auth, can I just use the authorize process to check for "notfound" and

> check the useraccountcontrol setting is correct from an attribute 
> mapping (or just use the useraccountcontrol in an ldap filter and rely

> on not found), then just set the cleartext-password attribute to be 
> %{username} using some more unlang , then do nothing special in the 
> chap authentication bit, just let it "ok" with the plaintext password 
> or is that just all wrong? I figure I don't *really* need a password 
> for mac-based auth, since it's always going to be == to the username?

  That's one huge sentence.  I can't make heads or tails of it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list