Many exchanges between supplicant and the server - EAP-TLS
Hello, On a radius server configured with EAP-TLS, logs contain many exchanges between the station and the server. It seems logical with the handshake TLS but each station response of access challenge causes the execution of the authorize section. Can you tell me if this is normal? Best regards, Vincent
On Jun 10, 2015, at 10:22 AM, vince technical address <vince.technicaladdress@gmail.com> wrote:
On a radius server configured with EAP-TLS, logs contain many exchanges between the station and the server.
That's how EAP-TLS works.
It seems logical with the handshake TLS but each station response of access challenge causes the execution of the authorize section. Can you tell me if this is normal?
Yes. Alan DeKok.
On Jun 10, 2015, at 10:22 AM, vince technical address <vince.technicaladdress@gmail.com> wrote:
Hello,
On a radius server configured with EAP-TLS, logs contain many exchanges between the station and the server. It seems logical with the handshake TLS but each station response of access challenge causes the execution of the authorize section. Can you tell me if this is normal?
Yes. -Arran
Hi Alan and Arran, There is no possibility to limit the execution of the authorize section to each response in a EAP session ? The result of this section is the same everytime. Thanks. Vince 2015-06-10 16:25 GMT+02:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
On Jun 10, 2015, at 10:22 AM, vince technical address < vince.technicaladdress@gmail.com> wrote:
Hello,
On a radius server configured with EAP-TLS, logs contain many exchanges between the station and the server. It seems logical with the handshake TLS but each station response of access challenge causes the execution of the authorize section. Can you tell me if this is normal?
Yes.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 10, 2015, at 10:37 AM, vince technical address <vince.technicaladdress@gmail.com> wrote:
There is no possibility to limit the execution of the authorize section to each response in a EAP session ? The result of this section is the same everytime.
The authorize section is contained in a configuration file for a reason. It's just text. You can edit it. The server MUST use the "authorize" section when it receives a packet. You can control what's in the authorize section, and how the server processes packets. Alan DeKok.
On 10/06/15 15:37, vince technical address wrote:
Hi Alan and Arran, There is no possibility to limit the execution of the authorize section to each response in a EAP session ? The result of this section is the same everytime.
I presume you have expensive processing - SQL or LDAP lookups, or similar - in this section? In which case, see: https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/raddb/sites-avai... https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/raddb/sites-avai... See also the "cache" module example/docs and similar.
Hi,
On a radius server configured with EAP-TLS, logs contain many exchanges between the station and the server. It seems logical with the handshake TLS but each station response of access challenge causes the execution of the authorize section. Can you tell me if this is normal?
every packet received by the server is a new UDP packet and passes through all the same path as previous packets. there are mechanisms that allow you to skip from authorise into the next phase - look at the default config, you should see something like eap { ok = return } or such...put that ahead of the thing you want to avoid every single time (usually an LDAP or SQL query etc). in debug mode you can see how the server works... it doesnt go 'ah, a reply to me previous packet, I know exactly where I was when we got to this part of the conversation... i'll start at line 45 or inner-tunnel' - it doesnt do that. it cant do that alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Phil Mayers -
vince technical address