Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest. I'll post back. Thanks Andy -----Original Message----- From: freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 18 May 2013 13:37 To: FreeRadius users mailing list Subject: Re: Help with chap Franks Andy (RLZ) IT Systems Engineer wrote:
... It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate,
That's bad. 10-15 clients should be done in a second or so. My guess is that the ntlm_auth process is taking a *long* time. Maybe your DNS settings are broken. Set up a test server. Run it in debugging mode and see. If the authentication takes more than a second or so (wtih debug messages), something is wrong.
- Synch the content of the AD OU I have the mac address "users" in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication.
That will work for MS-CHAP. Not for CHAP.
The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an "intermediary", for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one?
A normal LDAP client should work.
- Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried.
If it's MAC authentication, then FreeRADIUS can do the CHAP checking itself. And there's no point in doing *more* authentication. The only reasonable thing to do is various checks in LDAP for the MAC address.
- use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication.
No, it won't. It's impossible.
Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them..
Step 1: find out what's wrong with the current system. If something is broken, fix it. Don't work around the problem. That makes it worse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Franks Andy (RLZ) IT Systems Engineer wrote:
Thanks Alan, It takes literary a second or so for a single client auth, but problems arise with multiple clients. I'll reset a card on the switch and capture the logs and see what's happening. Nothing as far as I remember pointed towards the ntlm_auth being the issue, it was the failure to complete the eap transaction that seemed to be the problem, but then I didn't scan each and every line to be honest.
See http://deployingradius.com/ It has instructions for testing PEAP via eapol_test. That lets you do some limited performance checks. An alternative is to configure a static user/password. Do performance checks using that user. If it's a lot faster than ntlm_auth, then the problem is likely ntlm_auth. Alan DeKok.
participants (2)
-
Alan DeKok -
Franks Andy (RLZ) IT Systems Engineer