802.1X Extra Miles

Matthew Newton mcn4 at leicester.ac.uk
Wed May 4 18:25:43 CEST 2016


On Wed, May 04, 2016 at 07:12:53PM +0300, 3 at D4rkn3ss DuMb wrote:
>  - since the above are just only deployed in my testing environment, and I
> m supposed to deploy the same for 1k users, how much memory
> (RAM,HD,Processor) should I allocate to radius server!

Until recently I was running a RADIUS server here for 10k users
mostly doing PEAP/MSCHAPv2 with Samba on 384Mb RAM and a couple of
virtual CPUs. Now has 2Gb RAM because the host has 64Gb and I
didn't know what to do with it.

1k users is nothing really, unless they are authenticating
excessively.

> The DB is also on the same server as Freeradius.

This is what you need to care about more than FR. Talk to a DBA to
size that. IMO you still won't need much for that number of users.

Just spin up a small VM and try it. It's 2016. Hardware is cheap
and plentiful.

>  - what kind of extra-layer could I add to the authentication layer (PC
> authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to
> make it even 'more secure'?

Move to EAP-TLS and check certificates instead. As added bonuses,
authentications will be quicker and the load on your RADIUS server
will likely drop.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list