Re: 802.1X Extra Miles
Dear all, @Alan Buxey <https://plus.google.com/u/1/111643914785537954652?prsrc=4> Actually, I just implemented a simple SQL select count(*) to my MAC table in radius db. There is no OS fingerprint or something similar! would be really great if you could give a hint about how to implement that :) @ Matthew Newton I will for sure move to EAP-TLS ... But before I think I need to have some 'respectable' PKI framework integrated in my current AD. The thing, the AD engineers don't really want to deploy 1k certificates :( (GPO), so i will have to find a way to convince the management. Thank you all for your input! This is ONE of the GREATEST open source project I have encountered till now, and I really LOVE (I eat it, drink it, and sleep on it) FreeRadius. Will for sure drop some cents out there for the support :) Regards On 4 May 2016 at 19:41, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Problem with multiple LDAP servers (A.L.M.Buxey@lboro.ac.uk) 2. Re: Problem with multiple LDAP servers (A.L.M.Buxey@lboro.ac.uk) 3. Re: 802.1X Extra Miles (Matthew Newton) 4. Re: 802.1X Extra Miles (A.L.M.Buxey@lboro.ac.uk) 5. Re: 802.1X Extra Miles (A.L.M.Buxey@lboro.ac.uk) 6. Re: 802.1X Extra Miles (Igor Novgorodov) 7. LDAP CONFIGURATION IN FreeRadius (WINANT, KEVIN) 8. Re: LDAP CONFIGURATION IN FreeRadius (Matthew Newton)
----------------------------------------------------------------------
Message: 1 Date: Wed, 4 May 2016 16:19:02 +0000 From: A.L.M.Buxey@lboro.ac.uk To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Problem with multiple LDAP servers Message-ID: <20160504161902.GC19648@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
I think the multi instance validation was added after the rlm_ldap code was changed. I've pushed a fix for v3.0.x.
I'm going to drop the legacy support from v3.1.x.
....so long as it can support
server = server = server =
!!! :)
alan
------------------------------
Message: 2 Date: Wed, 4 May 2016 16:25:06 +0000 From: A.L.M.Buxey@lboro.ac.uk To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Problem with multiple LDAP servers Message-ID: <20160504162506.GD19648@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
If you want visibility into what's going on, it's better to use a template section to configure rlm_ldap, and have one instance per server, referencing them in a redundant-load-balance block.
ldap ldap1 {} ldap ldap2 {}
etc - could all be in one file....
and then use the redundancy load balance block to use them:
redundant-load-balance { ldap1 ldap2 ldap3 }
instead of just calling ldap ? interesting....might give that a go (our current problem is that we set the lifetime/timeout to 0 and it appears that after *seme time* (to be found out) and/or *some event* the server will not connect to the LDAP anymore... it shouldnt have closed connections....)
1) maybe need some kind of keepalive thing going on in the server (to ensure firewalls or linux kernel TCP stuff doesnt play in this?)
2) more connection info with eg radmin ?
by the way, we are using OpenLDAP compiled against OpenSSL rather than NSS - which was the default stuff.... when we did that (use our own LDAP compiled against OpenSSL) the reconnection after deliberately breaking connectivity worked a treat! :)
alan
------------------------------
Message: 3 Date: Wed, 4 May 2016 17:25:43 +0100 From: Matthew Newton <mcn4@leicester.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: 802.1X Extra Miles Message-ID: <20160504162543.GL39562@rootmail.cc.le.ac.uk> Content-Type: text/plain; charset=us-ascii
On Wed, May 04, 2016 at 07:12:53PM +0300, 3@D4rkn3ss DuMb wrote:
- since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server!
Until recently I was running a RADIUS server here for 10k users mostly doing PEAP/MSCHAPv2 with Samba on 384Mb RAM and a couple of virtual CPUs. Now has 2Gb RAM because the host has 64Gb and I didn't know what to do with it.
1k users is nothing really, unless they are authenticating excessively.
The DB is also on the same server as Freeradius.
This is what you need to care about more than FR. Talk to a DBA to size that. IMO you still won't need much for that number of users.
Just spin up a small VM and try it. It's 2016. Hardware is cheap and plentiful.
- what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'?
Move to EAP-TLS and check certificates instead. As added bonuses, authentications will be quicker and the load on your RADIUS server will likely drop.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
------------------------------
Message: 4 Date: Wed, 4 May 2016 16:30:13 +0000 From: A.L.M.Buxey@lboro.ac.uk To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: 802.1X Extra Miles Message-ID: <20160504163013.GF19648@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
- since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server! The DB is also on the same server as Freeradius.
a quite basic server for 1000 devices. 2GHz, 4Gb RAM, 120G HD. thats probably overkill.
- what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'?
its pretty strong stuff so long as the client is correctly configured..... next step up would be to run your own PKI and use EAP-TLS instead. the Mac auth is your weak point... whats stopping someone borrowing a known/valid MAC address? are you suing some kind of system/OS/fingerprint in conjunction with MacAuth ?
alan
------------------------------
Message: 5 Date: Wed, 4 May 2016 16:31:47 +0000 From: A.L.M.Buxey@lboro.ac.uk To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: 802.1X Extra Miles Message-ID: <20160504163147.GH19648@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
authentications will be quicker and the load on your RADIUS server will likely drop.
*will* drop - and auths are faster and less NTLM/AD stuff to worry about :-)
alan
------------------------------
Message: 6 Date: Wed, 4 May 2016 19:33:56 +0300 From: Igor Novgorodov <igor@novg.net> To: freeradius-users@lists.freeradius.org Subject: Re: 802.1X Extra Miles Message-ID: <572A2474.8050009@novg.net> Content-Type: text/plain; charset=utf-8; format=flowed
We're running FreeRADIUS that authenticates 5-6 *million* users per day (with peaks about 1000 requests per second) on a small VM with 4 vCPU. Memory usage is negligible (200-300MBytes) even with max_queue_size=1048576, cleanup_delay=30, max_requests=262144
The database is what's loaded more, but it depends on complexity and number of requests per authentication event.
So your case should not be a problem at all.
On 04/05/16 19:12, 3@D4rkn3ss DuMb wrote:
Dear List,
I hope you are all doing fine. I know that the following question might be 'out of scope' of the user's list but still, I would like to ask some user's experience. I successfully implemented '802.1x or MAC-Auth' as described on the how-to: the 802.1x is PEAP based (server's certificate deployed on all client) with Computer authentication (instead of user authentication) + Mac verification (in a specific table in radius db), and for all non-capable 802.1x end-points (such as pointers) just a mac verification. However, I m still confused about the following issues: - since the above are just only deployed in my testing environment, and I m supposed to deploy the same for 1k users, how much memory (RAM,HD,Processor) should I allocate to radius server! The DB is also on the same server as Freeradius. - what kind of extra-layer could I add to the authentication layer (PC authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to make it even 'more secure'?
Thank you,
Regards,
KEN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 7 Date: Wed, 4 May 2016 16:34:04 +0000 From: "WINANT, KEVIN" <KW517G@att.com> To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: LDAP CONFIGURATION IN FreeRadius Message-ID: < 751C2B6C8900694381C6D7090C243EA3216016AD@MISOUT7MSGUSRCB.ITServices.sbc.com
Content-Type: text/plain; charset="us-ascii"
Hi Folks, On the FreeRadius servers we have inherited, I am trying to locate where LDAP is configured. Our Servers communicate with an External Authentication server (companies phone directory for user id/pswd verification) so I know someplace in there the LDAP server is specified and should indicate which port (389 or 636) it is using. FreeRadius doc indicates this is defined in radiusd.conf In checking radiusd.conf I do not see anything specifying LDAP. Was thinking would see something similar to this in radiusd.conf:
server = "ldap" port = 636 #port = 389
SO my question is, is there someplace else where the LDAP server may be configured? Or radius.conf is the place.?? I have poked around in etc/raddb but unable to locate these settings.
Appreciate any information anyone may be able to provide. Thanks in Advance
------------------------------
Message: 8 Date: Wed, 4 May 2016 17:41:32 +0100 From: Matthew Newton <mcn4@leicester.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP CONFIGURATION IN FreeRadius Message-ID: <20160504164132.GO39562@rootmail.cc.le.ac.uk> Content-Type: text/plain; charset=us-ascii
On Wed, May 04, 2016 at 04:34:04PM +0000, WINANT, KEVIN wrote:
Hi Folks, On the FreeRadius servers we have inherited, I am trying to locate where LDAP is configured.
What version?
SO my question is, is there someplace else where the LDAP server may be configured? Or radius.conf is the place.?? I have poked around in etc/raddb but unable to locate these settings.
Probably
/etc/raddb/modules/ldap for v2 /etc/raddb/mods-{enabled,available}/ldap for v3
or just "grep -lr ldap /etc/raddb/*" will get you in the right direction, as will running FreeRADIUS in debug mode (radiusd -X) and reading the output at the start.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 133, Issue 8 ************************************************
participants (1)
-
3@D4rkn3ss DuMb