EAP-Handshakes: every reply runs the full authorize-section
FreeRADIUS Version 1.1.0: Hello, we run EAP-TTLS and what we get in Debug-Mode is, that every received EAP-Packet within the TLS-Tunnel-establish runs the complete authorize-section and slows down the overall time to create a TTLS-Tunnel. Reason is, that the User-Name e.g. "NTB-BRINK-610", which is the EAP-Identity, comes with every received EAP-Packet and is always checked against the full authorize-section. Is it possible to skip this redundant checks in the following EAP-responses that build a specific EAP-Session? (the EAP-Idents cant be resolved in our LDAP, cause that machinenames are always unknown to us. What we have to check are the inner-Tunnel - credentials) kind regards Rainer Brinkmann Network-Management University-Clinicum Hamburg / Germany -- Pflichtangaben gemäß Gesetz über elektronische Handelsregister und Genossenschaftsregister sowie das Unternehmensregister (EHUG): Universitätsklinikum Hamburg-Eppendorf Körperschaft des öffentlichen Rechts Gerichtsstand: Hamburg Vorstandsmitglieder: Prof. Dr. Jörg F. Debatin (Vorsitzender) Dr. Alexander Kirstein Ricarda Klein Prof. Dr. Dr. Uwe Koch-Gromus
Rainer Brinkmann wrote:
FreeRADIUS Version 1.1.0:
Hello, we run EAP-TTLS and what we get in Debug-Mode is, that every received EAP-Packet within the TLS-Tunnel-establish runs the complete authorize-section and slows down the overall time to create a TTLS-Tunnel. Reason is, that the User-Name e.g. "NTB-BRINK-610", which is the EAP-Identity, comes with every received EAP-Packet and is always checked against the full authorize-section. Is it possible to skip this redundant checks in the following EAP-responses that build a specific EAP-Session? (the EAP-Idents cant be resolved in our LDAP, cause that machinenames are always unknown to us. What we have to check are the inner-Tunnel - credentials)
kind regards
Rainer Brinkmann Network-Management University-Clinicum Hamburg / Germany
Yep, this issue is reduced in 2.0 pre1 , the eap module will return handled (so will skip the rest of the authorise and authenticate sections) when it doesn't need to authenticate the user, or acquire attributes for authorisation/ authentication. 2.0pre1 brings to number of full autz/auth runs, down to around 3-4 per EAP authentication. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
i forgot: thanks for the info ----- Original Message ----- From: "Arran Cudbard-Bell" <A.Cudbard-Bell@sussex.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, June 11, 2007 10:16 AM Subject: Re: EAP-Handshakes: every reply runs the full authorize-section
Rainer Brinkmann wrote:
FreeRADIUS Version 1.1.0:
Hello, we run EAP-TTLS and what we get in Debug-Mode is, that every received EAP-Packet within the TLS-Tunnel-establish runs the complete authorize-section and slows down the overall time to create a TTLS-Tunnel. Reason is, that the User-Name e.g. "NTB-BRINK-610", which is the EAP-Identity, comes with every received EAP-Packet and is always checked against the full authorize-section. Is it possible to skip this redundant checks in the following EAP-responses that build a specific EAP-Session? (the EAP-Idents cant be resolved in our LDAP, cause that machinenames are always unknown to us. What we have to check are the inner-Tunnel - credentials)
kind regards
Rainer Brinkmann Network-Management University-Clinicum Hamburg / Germany
Yep, this issue is reduced in 2.0 pre1 , the eap module will return handled (so will skip the rest of the authorise and authenticate sections) when it doesn't need to authenticate the user, or acquire attributes for authorisation/ authentication.
2.0pre1 brings to number of full autz/auth runs, down to around 3-4 per EAP authentication. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pflichtangaben gemäß Gesetz über elektronische Handelsregister und Genossenschaftsregister sowie das Unternehmensregister (EHUG): Universitätsklinikum Hamburg-Eppendorf Körperschaft des öffentlichen Rechts Gerichtsstand: Hamburg Vorstandsmitglieder: Prof. Dr. Jörg F. Debatin (Vorsitzender) Dr. Alexander Kirstein Ricarda Klein Prof. Dr. Dr. Uwe Koch-Gromus
participants (2)
-
Arran Cudbard-Bell -
Rainer Brinkmann