4 May
2016
4 May
'16
3:26 p.m.
> On 4 May 2016, at 11:07, Johnny R <vasiana09@gmail.com> wrote: > > I m wondering if there is another 'obvious' way to handle non-802.1X > capable equipment apart from checking their MAC :(. OS fingerprinting, > seems a little bit ... more than an extra mile :) > Device fingerprinting, web-auth, those are pretty much the only options. Better to use a switch that can perform ip filtering with dynamic rules from RADIUS to restrict incoming and outgoing connections. -Arran > > v4s[at]#unrelated | "sh3ll is just the beginning" > > .__ > _____ _______ ____ ___________ |__| ____ _____ > \__ \\_ __ \/ _ \/ ___/\__ \ | |/ \\__ \ > / __ \| | \( <_> )___ \ / __ \| | | \/ __ \_ > (____ /__| \____/____ >(____ /__|___| (____ / > \/ \/ \/ \/ \/ > > > > >> On Wed, May 4, 2016 at 8:49 PM, Igor Novgorodov <igor@novg.net> wrote: >> >> Nope, it has complicated logic based on Calling-Station-Id, NAS-IP-Address >> & multiple SQL queries. >> With EAP it would, of course, use more CPU (if over TLS - even worse). >> We currently have about 150% of a Xeon E5-2630 core used at peak times. >> >> >>> On 04/05/16 19:52, Arran Cudbard-Bell wrote: >>> >>>> On 4 May 2016, at 09:33, Igor Novgorodov <igor@novg.net> wrote: >>>> >>>> We're running FreeRADIUS that authenticates 5-6 *million* users per day >>>> (with peaks about 1000 requests per second) on a small VM with 4 vCPU. >>> That's with EAP? >>> >>> -Arran >>> >>> Arran Cudbard-Bell <a.cudbardb@freeradius.org> >>> FreeRADIUS Development Team >>> >>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 >>> >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html