Hi, I'm new to Freeradius, and the concepts behind Radius and network security in general also, so I'm not sure if this is normal or not. I've configured Freeradius so that I can authenticate Windows XP clients on our wireless network through a Linux server's /etc/passwd file. The problem is that authenticating takes around 20 seconds. While running the server in a terminal with the -X flag, I see that my Windows XP client first makes one TLS request, then waits ~20 seconds, then makes two more TLS requests and four TTLS requests all together taking less than one second. After these last six requests the client is immediately online. Can anyone hint me on why the client waits for so long before doing the requests it needs? Is my Freeradius server erroneously defaulting the client to use TLS instead of TTLS, and confusing the client? I've written a radiusd.conf from scratch, so that the server only runs the modules I actually use, hoping this is safer and easier to administrate. Please feedback if anyone have any comments on this approach. Note that the problem described above is also a there with the huge bundled stock configuration file. The configuration is as follows: ##################################################################### prefix = /usr localstatedir = /var logdir = /var/log/radius checkrad = "/usr/sbin/checkrad" pidfile = "/var/run/radiusd/radiusd.pid" max_requests = 2048 bind_address = * cleanup_delay = 2 user = radiusd group = radiusd security { max_attributes = 200 reject_delay = 1 status_server = no } thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { unix { } pap { } eap { default_eap_type = ttls tls { private_key_file = /etc/raddb/server.tld.pem certificate_file = /etc/raddb/server.tld.pem CA_file = /etc/raddb/server.tld.pem dh_file = /etc/raddb/dh random_file = /etc/raddb/random fragment_size = 1024 include_length = yes } ttls { } } files { usersfile = /etc/raddb/users acctusersfile = /etc/raddb/acct_users preproxy_usersfile = /etc/raddb/preproxy_users compat = no } } authorize { eap files } authenticate { Auth-Type PAP { pap } unix eap } client x.x.x.x { secret = xxxx shortname = accesspoint01 nastype = other } ##################################################################### Any hints greatly appreciated! Thank you very much :-) Regards, Allan Boll - student and network administrator at a dorm ;-)
Allan Riordan Boll wrote:
The problem is that authenticating takes around 20 seconds. While running the server in a terminal with the -X flag, I see that my Windows XP client first makes one TLS request, then waits ~20 seconds, then makes two more TLS requests and four TTLS requests all together taking less than one second. After these last six requests the client is immediately online.
It sounds like a weird Windows issue...
Can anyone hint me on why the client waits for so long before doing the requests it needs? Is my Freeradius server erroneously defaulting the client to use TLS instead of TTLS, and confusing the client?
No. Many people are running FreeRADIUS with Windows clients (XP SP1, SP2, Vista), and most authentications happen very quickly. I'm not sure why the Windows machines would take so long. Maybe try it with a different access point.
I've written a radiusd.conf from scratch, so that the server only runs the modules I actually use, hoping this is safer and easier to administrate. Please feedback if anyone have any comments on this approach.
If it works... If it doesn't work, go back to the default config. Alan DeKok.
Allan, Maybe I missed it, but what client do you use? Windows does not yet support TTLS natively. Artur On 13 Nov 2007, at 16:23, Alan DeKok wrote:
Allan Riordan Boll wrote:
The problem is that authenticating takes around 20 seconds. While running the server in a terminal with the -X flag, I see that my Windows XP client first makes one TLS request, then waits ~20 seconds, then makes two more TLS requests and four TTLS requests all together taking less than one second. After these last six requests the client is immediately online.
It sounds like a weird Windows issue...
Can anyone hint me on why the client waits for so long before doing the requests it needs? Is my Freeradius server erroneously defaulting the client to use TLS instead of TTLS, and confusing the client?
No. Many people are running FreeRADIUS with Windows clients (XP SP1, SP2, Vista), and most authentications happen very quickly. I'm not sure why the Windows machines would take so long.
Maybe try it with a different access point.
I've written a radiusd.conf from scratch, so that the server only runs the modules I actually use, hoping this is safer and easier to administrate. Please feedback if anyone have any comments on this approach.
If it works...
If it doesn't work, go back to the default config.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Hi, Windows doesn't natively, but with the help of SecureW2 (http://www.securew2.com) it does quite well. Install it and select it as a EAP Type on the Authenication Tab when you setup your wireless connection. Cheers, Rupes On 13/11/2007, Artur Hecker <hecker@wave-storm.com> wrote:
Allan,
Maybe I missed it, but what client do you use? Windows does not yet support TTLS natively.
Artur
On 13 Nov 2007, at 16:23, Alan DeKok wrote:
Allan Riordan Boll wrote:
The problem is that authenticating takes around 20 seconds. While running the server in a terminal with the -X flag, I see that my Windows XP client first makes one TLS request, then waits ~20 seconds, then makes two more TLS requests and four TTLS requests all together taking less than one second. After these last six requests the client is immediately online.
It sounds like a weird Windows issue...
Can anyone hint me on why the client waits for so long before doing the requests it needs? Is my Freeradius server erroneously defaulting the client to use TLS instead of TTLS, and confusing the client?
No. Many people are running FreeRADIUS with Windows clients (XP SP1, SP2, Vista), and most authentications happen very quickly. I'm not sure why the Windows machines would take so long.
Maybe try it with a different access point.
I've written a radiusd.conf from scratch, so that the server only runs the modules I actually use, hoping this is safer and easier to administrate. Please feedback if anyone have any comments on this approach.
If it works...
If it doesn't work, go back to the default config.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maybe I missed it, but what client do you use? Windows does not yet support TTLS natively.
yes sorry, i forgot to say. I am already using SecureW2 of course. And it does work, it's just very slow at authenticating... Also, I'm using FreeRADIUS 1.1.7.
If it works...
If it doesn't work, go back to the default config.
Well, the default config had the same problem. That's why I tried writing one from scratch, to make sure there wasn't some obscure module making the server hang. Is this an unusual approach to write a config from scratch, or is it a good idea? Would love to hear what's normal. Thank you for your replies! :-)
On Wed, 2007-11-14 at 00:15 +0100, Allan Riordan Boll wrote:
Maybe I missed it, but what client do you use? Windows does not yet support TTLS natively.
yes sorry, i forgot to say. I am already using SecureW2 of course. And it does work, it's just very slow at authenticating... Also, I'm using FreeRADIUS 1.1.7.
If it works...
If it doesn't work, go back to the default config.
Well, the default config had the same problem. That's why I tried writing one from scratch, to make sure there wasn't some obscure module making the server hang. Is this an unusual approach to write a config from scratch, or is it a good idea? Would love to hear what's normal.
Most people get it wrong when they do that, and the default config does almost everything right, so it's not advised. Keeping the config as close as possible to the generic "does everything" config also means you're walking a well-trodden path in terms of support.
Hello Allan On 14 Nov 2007, at 00:15, Allan Riordan Boll wrote:
Maybe I missed it, but what client do you use? Windows does not yet support TTLS natively.
yes sorry, i forgot to say. I am already using SecureW2 of course. And it does work, it's just very slow at authenticating... Also, I'm using FreeRADIUS 1.1.7.
ok, that's what I thought, but there are people outthere actually using other stuff (wire1X, xsupplicant, etc). from the experience, SecureW2 TTLS works just fine with freeradius. but just for the sake of an experiment, maybe you could also test PEAP. that should not change anything from the freeradius user DB perspective.
Well, the default config had the same problem. That's why I tried writing one from scratch, to make sure there wasn't some obscure module making the server hang. Is this an unusual approach to write a config from scratch, or is it a good idea? Would love to hear what's normal.
the default config should work just fine. what I would do in your position is simplify stuff. I did not look at your config, but: - try PEAP with the built in windows EAP peer and then TTLS with the SecureW2, see if something changes; - in the standard config, both should work as soon as you add a user with a User-Password to your users file. in the beginning and for testing, don't use databases, maybe your server has difficulties connecting to it, or something. - if the server replies correctly with -X, then this is probably a user right issue. - to me it looks like some issue with the server certificate validity (mutual authentication). how did you configure SecureW2? does it verify the server certificate? does it ask the user if the certificate is unnknown? the best would be to add the signing CA to your trusted roots at the windows pc *before* any authentication tries. you should verify that the server certificate is correctly verified by the windows pc (simply download the server certficate in .der format and open it in the explorer. it should not say "untrusted"). it would be *very* surprising if the communication were still as you described it. what authenticator do you use? artur
- try PEAP with the built in windows EAP peer and then TTLS with the SecureW2, see if something changes;
- in the standard config, both should work as soon as you add a user with a User-Password to your users file. in the beginning and for testing, don't use databases, maybe your server has difficulties connecting to it, or something.
- if the server replies correctly with -X, then this is probably a user right issue.
- to me it looks like some issue with the server certificate validity (mutual authentication). how did you configure SecureW2? does it verify the server certificate? does it ask the user if the certificate is unnknown? the best would be to add the signing CA to your trusted roots at the windows pc *before* any authentication tries. you should verify that the server certificate is correctly verified by the windows pc (simply download the server certficate in .der format and open it in the explorer. it should not say "untrusted").
it would be *very* surprising if the communication were still as you described it. what authenticator do you use?
artur
Hi Artur, thank you very much for your constructive suggestions. I will try these one of the following days and write back to the mailinglist with my results. - Allan
I'm posting a colleague's response (by request, he didn't want to subscribe himself): Allan Riordan Boll wrote:
Maybe I missed it, but what client do you use? Windows does not yet support TTLS natively.
yes sorry, i forgot to say. I am already using SecureW2 of course. And it does work, it's just very slow at authenticating... Also, I'm using FreeRADIUS 1.1.7.
If it works...
If it doesn't work, go back to the default config.
Well, the default config had the same problem. That's why I tried writing one from scratch, to make sure there wasn't some obscure module making the server hang. Is this an unusual approach to write a config from scratch, or is it a good idea? Would love to hear what's normal.
Thank you for your replies! :-)
Define slow. Where are you seeing the slowness? By default many Cisco authenticators have timeouts of 30 seconds per auth session or so, as well as additional time between successive EAPOL requests to the client (5 seconds?). (That is, Cisco authenticators have a timeout to wait for an answer from the client between EAPOL requests within the same session as well as a timeout between session attempts themselves, as well as settings for how many successive EAPOLs to send within a given session, before trying to reauthenticate (start a new session)). If you turn on both logging from the authenticator and radiusd -X, you can correlate when you see auth(z) requests come in with when the authenticator is waiting for the client (or vice-versa). =========================================================== Peter C. Lai | Bard College at Simon's Rock Systems Administrator | 84 Alford Rd. Information Technology Svcs | Gt. Barrington, MA 01230 USA peter AT simons-rock.edu | (413) 528-7428 ===========================================================
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
eap { default_eap_type = ttls
tls { private_key_file = /etc/raddb/server.tld.pem certificate_file = /etc/raddb/server.tld.pem CA_file = /etc/raddb/server.tld.pem dh_file = /etc/raddb/dh random_file = /etc/raddb/random fragment_size = 1024 include_length = yes }
ttls { } }
whoa. you seem to have stripped out all the stuff from the ttls stanza. FreeRADIUS 2.0 can do EAP in a quicker time due to handling the packets differently.... but even 1.1.7 can do an EAP-TTLS in sub-second speed even using LDAP/AD/mysql and perl..... alan
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Allan Riordan Boll -
Artur Hecker -
charlie derr -
Phil Mayers -
Rupert Finnigan