EAP Taking Too Long to Authenticate
Syed Rais Ahmad NON DRI
SAhmad at darden.com
Mon Nov 2 22:00:53 CET 2015
I am using NTLM for login-prompt based devices and EAP for laptops. Our laptops have certificates signed by our own Root CA. Radius already has root, ca and its own certificates installed. It’s not that it doesn’t authenticate, it authenticates but takes too much time.
On one of the wireless controllers, the call flow between Radius and itself is as follows:
Nov 2 12:14:27 station-down *
Nov 2 12:14:28 station-up *
Nov 2 12:14:28 eap-id-req <-
Nov 2 12:14:28 eap-start ->
Nov 2 12:14:28 eap-id-req <-
Nov 2 12:14:28 eap-id-resp ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 eap-id-resp ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:28 eap-nak ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:28 eap-resp ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:28 eap-resp ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:28 eap-resp ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:28 eap-resp ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:28 eap-resp ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:28 eap-resp ->
Nov 2 12:14:28 rad-req ->
Nov 2 12:14:28 rad-resp <-
Nov 2 12:14:28 eap-req <-
Nov 2 12:14:46 eap-start ->
Nov 2 12:14:46 eap-id-req <-
Nov 2 12:14:46 eap-id-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-nak ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-resp <-
Nov 2 12:14:46 eap-req <-
Nov 2 12:14:46 eap-resp ->
Nov 2 12:14:46 rad-req ->
Nov 2 12:14:46 rad-accept <-
Nov 2 12:14:46 eap-success <-
Nov 2 12:14:46 station-data-ready *
Nov 2 12:14:46 wpa2-key1 <-
Nov 2 12:14:46 wpa2-key2 ->
Nov 2 12:14:46 wpa2-key3 <-
Nov 2 12:14:46 wpa2-key4 ->
From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
Sent: Monday, November 02, 2015 2:13 PM
To: FreeRadius users mailing list; Syed Rais Ahmad NON DRI; freeradius-users at lists.freeradius.org
Subject: Re: EAP Taking Too Long to Authenticate
You need to profile your authentication What modules are you using? Run in rasiusd -Xxx (to get timings rather than just debug) Find the slow point. We use 2048 bit cert and DH and our PEAP etc take milliseconds
alan
This e-mail message is for the sole use of the intended recipient and may contain information that is confidential, proprietary or privileged. Any unauthorized review, use, distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, please notify sender of the delivery error by replying to this message and then delete it from your system. Receipt by anyone other than the intended recipient is not a waiver of confidentiality or privilege.
More information about the Freeradius-Users
mailing list