Dear List, I hope you are all doing fine. I know that the following question might be 'out of scope' of the user's list but still, I would like to ask some user's experience. I successfully implemented '802.1x or MAC-Auth' as described on the how-to: the 802.1x is PEAP based (server's certificate deployed on all client) with Computer authentication (instead of user authentication) + Mac verification (in a specific table in radius db), and for all non-capable 802.1x end-points (such as pointers) just a mac verification. However, I m still confused about the following issues: - since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server! The DB is also on the same server as Freeradius. - what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'? Thank you, Regards, KEN
On 4 May 2016, at 09:12, 3@D4rkn3ss DuMb <32d4rkn3ss@gmail.com> wrote:
Dear List,
I hope you are all doing fine.
No.
I know that the following question might be 'out of scope' of the user's list but still,
It's not, but it's been answered before, so I suggest you read through the archives.
I would like to ask some user's experience. I successfully implemented '802.1x or MAC-Auth' as described on the how-to: the 802.1x is PEAP based (server's certificate deployed on all client) with Computer authentication (instead of user authentication) + Mac verification (in a specific table in radius db), and for all non-capable 802.1x end-points (such as pointers) just a mac verification. However, I m still confused about the following issues: - since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server!
42PB of Ram, Disk space, and Processors.
The DB is also on the same server as Freeradius. - what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'?
EAP-TLS. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Wed, May 04, 2016 at 07:12:53PM +0300, 3@D4rkn3ss DuMb wrote:
- since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server!
Until recently I was running a RADIUS server here for 10k users mostly doing PEAP/MSCHAPv2 with Samba on 384Mb RAM and a couple of virtual CPUs. Now has 2Gb RAM because the host has 64Gb and I didn't know what to do with it. 1k users is nothing really, unless they are authenticating excessively.
The DB is also on the same server as Freeradius.
This is what you need to care about more than FR. Talk to a DBA to size that. IMO you still won't need much for that number of users. Just spin up a small VM and try it. It's 2016. Hardware is cheap and plentiful.
- what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'?
Move to EAP-TLS and check certificates instead. As added bonuses, authentications will be quicker and the load on your RADIUS server will likely drop. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
- since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server! The DB is also on the same server as Freeradius.
a quite basic server for 1000 devices. 2GHz, 4Gb RAM, 120G HD. thats probably overkill.
- what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'?
its pretty strong stuff so long as the client is correctly configured..... next step up would be to run your own PKI and use EAP-TLS instead. the Mac auth is your weak point... whats stopping someone borrowing a known/valid MAC address? are you suing some kind of system/OS/fingerprint in conjunction with MacAuth ? alan
We're running FreeRADIUS that authenticates 5-6 *million* users per day (with peaks about 1000 requests per second) on a small VM with 4 vCPU. Memory usage is negligible (200-300MBytes) even with max_queue_size=1048576, cleanup_delay=30, max_requests=262144 The database is what's loaded more, but it depends on complexity and number of requests per authentication event. So your case should not be a problem at all. On 04/05/16 19:12, 3@D4rkn3ss DuMb wrote:
Dear List,
I hope you are all doing fine. I know that the following question might be 'out of scope' of the user's list but still, I would like to ask some user's experience. I successfully implemented '802.1x or MAC-Auth' as described on the how-to: the 802.1x is PEAP based (server's certificate deployed on all client) with Computer authentication (instead of user authentication) + Mac verification (in a specific table in radius db), and for all non-capable 802.1x end-points (such as pointers) just a mac verification. However, I m still confused about the following issues: - since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server! The DB is also on the same server as Freeradius. - what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'?
Thank you,
Regards,
KEN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 4 May 2016, at 09:33, Igor Novgorodov <igor@novg.net> wrote:
We're running FreeRADIUS that authenticates 5-6 *million* users per day (with peaks about 1000 requests per second) on a small VM with 4 vCPU.
That's with EAP? -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Nope, it has complicated logic based on Calling-Station-Id, NAS-IP-Address & multiple SQL queries. With EAP it would, of course, use more CPU (if over TLS - even worse). We currently have about 150% of a Xeon E5-2630 core used at peak times. On 04/05/16 19:52, Arran Cudbard-Bell wrote:
On 4 May 2016, at 09:33, Igor Novgorodov <igor@novg.net> wrote:
We're running FreeRADIUS that authenticates 5-6 *million* users per day (with peaks about 1000 requests per second) on a small VM with 4 vCPU. That's with EAP?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I m wondering if there is another 'obvious' way to handle non-802.1X capable equipment apart from checking their MAC :(. OS fingerprinting, seems a little bit ... more than an extra mile :) v4s[at]#unrelated | "sh3ll is just the beginning" .__ _____ _______ ____ ___________ |__| ____ _____ \__ \\_ __ \/ _ \/ ___/\__ \ | |/ \\__ \ / __ \| | \( <_> )___ \ / __ \| | | \/ __ \_ (____ /__| \____/____ >(____ /__|___| (____ / \/ \/ \/ \/ \/ On Wed, May 4, 2016 at 8:49 PM, Igor Novgorodov <igor@novg.net> wrote:
Nope, it has complicated logic based on Calling-Station-Id, NAS-IP-Address & multiple SQL queries. With EAP it would, of course, use more CPU (if over TLS - even worse). We currently have about 150% of a Xeon E5-2630 core used at peak times.
On 04/05/16 19:52, Arran Cudbard-Bell wrote:
On 4 May 2016, at 09:33, Igor Novgorodov <igor@novg.net> wrote:
We're running FreeRADIUS that authenticates 5-6 *million* users per day (with peaks about 1000 requests per second) on a small VM with 4 vCPU.
That's with EAP?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> On 4 May 2016, at 11:07, Johnny R <vasiana09@gmail.com> wrote: > > I m wondering if there is another 'obvious' way to handle non-802.1X > capable equipment apart from checking their MAC :(. OS fingerprinting, > seems a little bit ... more than an extra mile :) > Device fingerprinting, web-auth, those are pretty much the only options. Better to use a switch that can perform ip filtering with dynamic rules from RADIUS to restrict incoming and outgoing connections. -Arran > > v4s[at]#unrelated | "sh3ll is just the beginning" > > .__ > _____ _______ ____ ___________ |__| ____ _____ > \__ \\_ __ \/ _ \/ ___/\__ \ | |/ \\__ \ > / __ \| | \( <_> )___ \ / __ \| | | \/ __ \_ > (____ /__| \____/____ >(____ /__|___| (____ / > \/ \/ \/ \/ \/ > > > > >> On Wed, May 4, 2016 at 8:49 PM, Igor Novgorodov <igor@novg.net> wrote: >> >> Nope, it has complicated logic based on Calling-Station-Id, NAS-IP-Address >> & multiple SQL queries. >> With EAP it would, of course, use more CPU (if over TLS - even worse). >> We currently have about 150% of a Xeon E5-2630 core used at peak times. >> >> >>> On 04/05/16 19:52, Arran Cudbard-Bell wrote: >>> >>>> On 4 May 2016, at 09:33, Igor Novgorodov <igor@novg.net> wrote: >>>> >>>> We're running FreeRADIUS that authenticates 5-6 *million* users per day >>>> (with peaks about 1000 requests per second) on a small VM with 4 vCPU. >>> That's with EAP? >>> >>> -Arran >>> >>> Arran Cudbard-Bell <a.cudbardb@freeradius.org> >>> FreeRADIUS Development Team >>> >>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 >>> >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
# Arran: Totally right !
v4s[at]#unrelated | "sh3ll is just the beginning"
.__
_____ _______ ____ ___________ |__| ____ _____
\__ \\_ __ \/ _ \/ ___/\__ \ | |/ \\__ \
/ __ \| | \( <_> )___ \ / __ \| | | \/ __ \_
(____ /__| \____/____ >(____ /__|___| (____ /
\/ \/ \/ \/ \/
On Wed, May 4, 2016 at 10:26 PM, Arran Cudbard-Bell <
a.cudbardb@freeradius.org> wrote:
>
>
> > On 4 May 2016, at 11:07, Johnny R <vasiana09@gmail.com> wrote:
> >
> > I m wondering if there is another 'obvious' way to handle non-802.1X
> > capable equipment apart from checking their MAC :(. OS fingerprinting,
> > seems a little bit ... more than an extra mile :)
> >
>
> Device fingerprinting, web-auth, those are pretty much the only options.
>
> Better to use a switch that can perform ip filtering with dynamic rules
> from RADIUS to restrict incoming and outgoing connections.
>
> -Arran
>
> >
> > v4s[at]#unrelated | "sh3ll is just the beginning"
> >
> > .__
> > _____ _______ ____ ___________ |__| ____ _____
> > \__ \\_ __ \/ _ \/ ___/\__ \ | |/ \\__ \
> > / __ \| | \( <_> )___ \ / __ \| | | \/ __ \_
> > (____ /__| \____/____ >(____ /__|___| (____ /
> > \/ \/ \/ \/ \/
> >
> >
> >
> >
> >> On Wed, May 4, 2016 at 8:49 PM, Igor Novgorodov <igor@novg.net> wrote:
> >>
> >> Nope, it has complicated logic based on Calling-Station-Id,
> NAS-IP-Address
> >> & multiple SQL queries.
> >> With EAP it would, of course, use more CPU (if over TLS - even worse).
> >> We currently have about 150% of a Xeon E5-2630 core used at peak times.
> >>
> >>
> >>> On 04/05/16 19:52, Arran Cudbard-Bell wrote:
> >>>
> >>>> On 4 May 2016, at 09:33, Igor Novgorodov <igor@novg.net> wrote:
> >>>>
> >>>> We're running FreeRADIUS that authenticates 5-6 *million* users per
> day
> >>>> (with peaks about 1000 requests per second) on a small VM with 4 vCPU.
> >>> That's with EAP?
> >>>
> >>> -Arran
> >>>
> >>> Arran Cudbard-Bell <a.cudbardb@freeradius.org>
> >>> FreeRADIUS Development Team
> >>>
> >>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> >>>
> >>>
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
participants (6)
-
3@D4rkn3ss DuMb -
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Igor Novgorodov -
Johnny R -
Matthew Newton