Help with chap
Alan DeKok
aland at deployingradius.com
Tue May 21 01:20:48 CEST 2013
Franks Andy (RLZ) IT Systems Engineer wrote:
> Thanks for the help.
> Anecdotally, before I get into serious discovery, I've been running
> the freeradius process in extra debugging mode -xx. I'd read somewhere
> that -X makes it run single threaded, but along those lines of thinking
> I wondered if -xx and the extra debug was causing any performance
> issues. I may be off at completely the wrong tangent, but the problem is
> interesting and I like the odd tangent..
Single-threaded versus multiple threads doesn't usually make a big
difference.
> Anyway, anecdotally as I said, with the server running in fresh from a
> reboot, no debugging, and upping the vm to 4 core instead of 1 (just
> playing), the problem seems vastly reduced. Nearly all clients are
> authenticated within 10 seconds,
Any modern CPU should be able to do 100's of EAP sessions per second.
If yours can't do that, it was under-provisioned. That's why adding
more CPUs helped: you gave it more CPU power.
> the consistent off ones are some
> ancient mitel voip phones with pcs running off the back, which the
> switch simply doesn't "see" for ages. It just sits there and eventually
> just sends an auth request. In many cases the switch "sec" debug doesn't
> even report the mac address or any activity for this weird phone, but
> the FR linelog shows it authenticated fine. Really strange.
Well, that's a switch problem.
> By the way, if I was to do chap, since I'm running ldap against AD - no
> available plaintext or other passwords, but I'm running mac-based auth,
> can I just use the authorize process to check for "notfound" and check
> the useraccountcontrol setting is correct from an attribute mapping (or
> just use the useraccountcontrol in an ldap filter and rely on not
> found), then just set the cleartext-password attribute to be
> %{username} using some more unlang , then do nothing special in the chap
> authentication bit, just let it "ok" with the plaintext password or is
> that just all wrong? I figure I don't *really* need a password for
> mac-based auth, since it's always going to be == to the username?
That's one huge sentence. I can't make heads or tails of it.
Alan DeKok.
More information about the Freeradius-Users
mailing list