802.1X Extra Miles
3@D4rkn3ss DuMb
32d4rkn3ss at gmail.com
Wed May 4 19:20:06 CEST 2016
Dear all,
@Alan Buxey <https://plus.google.com/u/1/111643914785537954652?prsrc=4>
Actually, I just implemented a simple SQL select count(*) to my MAC table
in radius db. There is no OS fingerprint or something similar! would be
really great if you could give a hint about how to implement that :)
@ Matthew Newton
I will for sure move to EAP-TLS ... But before I think I need to have some
'respectable' PKI framework integrated in my current AD. The thing, the AD
engineers don't really want to deploy 1k certificates :( (GPO), so i will
have to find a way to convince the management.
Thank you all for your input! This is ONE of the GREATEST open source
project I have encountered till now, and I really LOVE (I eat it, drink it,
and sleep on it) FreeRadius. Will for sure drop some cents out there for
the support :)
Regards
On 4 May 2016 at 19:41, <freeradius-users-request at lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Problem with multiple LDAP servers (A.L.M.Buxey at lboro.ac.uk)
> 2. Re: Problem with multiple LDAP servers (A.L.M.Buxey at lboro.ac.uk)
> 3. Re: 802.1X Extra Miles (Matthew Newton)
> 4. Re: 802.1X Extra Miles (A.L.M.Buxey at lboro.ac.uk)
> 5. Re: 802.1X Extra Miles (A.L.M.Buxey at lboro.ac.uk)
> 6. Re: 802.1X Extra Miles (Igor Novgorodov)
> 7. LDAP CONFIGURATION IN FreeRadius (WINANT, KEVIN)
> 8. Re: LDAP CONFIGURATION IN FreeRadius (Matthew Newton)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 4 May 2016 16:19:02 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Problem with multiple LDAP servers
> Message-ID: <20160504161902.GC19648 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > I think the multi instance validation was added after the rlm_ldap code
> was changed. I've pushed a fix for v3.0.x.
> >
> > I'm going to drop the legacy support from v3.1.x.
>
> ....so long as it can support
>
> server =
> server =
> server =
>
> !!! :)
>
> alan
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 4 May 2016 16:25:06 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Problem with multiple LDAP servers
> Message-ID: <20160504162506.GD19648 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > If you want visibility into what's going on, it's better to use a
> template section to configure rlm_ldap, and have one instance per server,
> referencing them in a redundant-load-balance block.
>
> ldap ldap1 {}
> ldap ldap2 {}
>
> etc - could all be in one file....
>
> and then use the redundancy load balance block to use them:
>
> redundant-load-balance {
> ldap1
> ldap2
> ldap3
> }
>
> instead of just calling ldap ? interesting....might give that a go (our
> current problem is that
> we set the lifetime/timeout to 0 and it appears that after *seme time* (to
> be found out) and/or *some event*
> the server will not connect to the LDAP anymore... it shouldnt have closed
> connections....)
>
> 1) maybe need some kind of keepalive thing going on in the server (to
> ensure firewalls or linux kernel
> TCP stuff doesnt play in this?)
>
> 2) more connection info with eg radmin ?
>
> by the way, we are using OpenLDAP compiled against OpenSSL rather than NSS
> - which was the default stuff....
> when we did that (use our own LDAP compiled against OpenSSL) the
> reconnection after deliberately breaking
> connectivity worked a treat! :)
>
>
> alan
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 4 May 2016 17:25:43 +0100
> From: Matthew Newton <mcn4 at leicester.ac.uk>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: 802.1X Extra Miles
> Message-ID: <20160504162543.GL39562 at rootmail.cc.le.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, May 04, 2016 at 07:12:53PM +0300, 3 at D4rkn3ss DuMb wrote:
> > - since the above are just only deployed in my testing environment, and
> I
> > m supposed to deploy the same for 1k users, how much memory
> > (RAM,HD,Processor) should I allocate to radius server!
>
> Until recently I was running a RADIUS server here for 10k users
> mostly doing PEAP/MSCHAPv2 with Samba on 384Mb RAM and a couple of
> virtual CPUs. Now has 2Gb RAM because the host has 64Gb and I
> didn't know what to do with it.
>
> 1k users is nothing really, unless they are authenticating
> excessively.
>
> > The DB is also on the same server as Freeradius.
>
> This is what you need to care about more than FR. Talk to a DBA to
> size that. IMO you still won't need much for that number of users.
>
> Just spin up a small VM and try it. It's 2016. Hardware is cheap
> and plentiful.
>
> > - what kind of extra-layer could I add to the authentication layer (PC
> > authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to
> > make it even 'more secure'?
>
> Move to EAP-TLS and check certificates instead. As added bonuses,
> authentications will be quicker and the load on your RADIUS server
> will likely drop.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 4 May 2016 16:30:13 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: 802.1X Extra Miles
> Message-ID: <20160504163013.GF19648 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > - since the above are just only deployed in my testing environment, and
> I
> > m supposed to deploy the same for 1k users, how much memory
> > (RAM,HD,Processor) should I allocate to radius server! The DB is also on
> > the same server as Freeradius.
>
> a quite basic server for 1000 devices. 2GHz, 4Gb RAM, 120G HD. thats
> probably overkill.
>
> > - what kind of extra-layer could I add to the authentication layer (PC
> > authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to
> > make it even 'more secure'?
>
> its pretty strong stuff so long as the client is correctly configured.....
> next step up
> would be to run your own PKI and use EAP-TLS instead. the Mac auth is
> your weak point...
> whats stopping someone borrowing a known/valid MAC address? are you suing
> some kind of system/OS/fingerprint
> in conjunction with MacAuth ?
>
> alan
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 4 May 2016 16:31:47 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: 802.1X Extra Miles
> Message-ID: <20160504163147.GH19648 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > authentications will be quicker and the load on your RADIUS server
> > will likely drop.
>
> *will* drop - and auths are faster and less NTLM/AD stuff to worry about
> :-)
>
>
> alan
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 4 May 2016 19:33:56 +0300
> From: Igor Novgorodov <igor at novg.net>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: 802.1X Extra Miles
> Message-ID: <572A2474.8050009 at novg.net>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> We're running FreeRADIUS that authenticates 5-6 *million* users per day
> (with peaks about 1000 requests per second) on a small VM with 4 vCPU.
> Memory usage is negligible (200-300MBytes) even with
> max_queue_size=1048576, cleanup_delay=30, max_requests=262144
>
> The database is what's loaded more, but it depends on complexity and
> number of requests per authentication event.
>
> So your case should not be a problem at all.
>
> On 04/05/16 19:12, 3 at D4rkn3ss DuMb wrote:
> > Dear List,
> >
> > I hope you are all doing fine. I know that the following question might
> be
> > 'out of scope' of the user's list but still, I would like to ask some
> > user's experience. I successfully implemented '802.1x or MAC-Auth' as
> > described on the how-to: the 802.1x is PEAP based (server's certificate
> > deployed on all client) with Computer authentication (instead of user
> > authentication) + Mac verification (in a specific table in radius db),
> and
> > for all non-capable 802.1x end-points (such as pointers) just a mac
> > verification. However, I m still confused about the following issues:
> > - since the above are just only deployed in my testing environment,
> and I
> > m supposed to deploy the same for 1k users, how much memory
> > (RAM,HD,Processor) should I allocate to radius server! The DB is also on
> > the same server as Freeradius.
> > - what kind of extra-layer could I add to the authentication layer (PC
> > authentication PEAP + MSCHAP v2, against AD 2008, + MAC Verification) to
> > make it even 'more secure'?
> >
> > Thank you,
> >
> > Regards,
> >
> > KEN
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 4 May 2016 16:34:04 +0000
> From: "WINANT, KEVIN" <KW517G at att.com>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: LDAP CONFIGURATION IN FreeRadius
> Message-ID:
> <
> 751C2B6C8900694381C6D7090C243EA3216016AD at MISOUT7MSGUSRCB.ITServices.sbc.com
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Folks, On the FreeRadius servers we have inherited, I am trying to
> locate where LDAP is configured.
> Our Servers communicate with an External Authentication server (companies
> phone directory for user id/pswd verification) so I know someplace in there
> the LDAP server is specified and should indicate which port (389 or 636)
> it is using.
> FreeRadius doc indicates this is defined in radiusd.conf
> In checking radiusd.conf I do not see anything specifying LDAP.
> Was thinking would see something similar to this in radiusd.conf:
>
> server = "ldap"
> port = 636
> #port = 389
>
> SO my question is, is there someplace else where the LDAP server may be
> configured? Or radius.conf is the place.??
> I have poked around in etc/raddb but unable to locate these settings.
>
> Appreciate any information anyone may be able to provide.
> Thanks in Advance
>
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 4 May 2016 17:41:32 +0100
> From: Matthew Newton <mcn4 at leicester.ac.uk>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: LDAP CONFIGURATION IN FreeRadius
> Message-ID: <20160504164132.GO39562 at rootmail.cc.le.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, May 04, 2016 at 04:34:04PM +0000, WINANT, KEVIN wrote:
> > Hi Folks, On the FreeRadius servers we have inherited, I am trying to
> locate where LDAP is configured.
>
> What version?
>
> > SO my question is, is there someplace else where the LDAP server may be
> configured? Or radius.conf is the place.??
> > I have poked around in etc/raddb but unable to locate these settings.
>
> Probably
>
> /etc/raddb/modules/ldap for v2
> /etc/raddb/mods-{enabled,available}/ldap for v3
>
> or just "grep -lr ldap /etc/raddb/*" will get you in the right
> direction, as will running FreeRADIUS in debug mode (radiusd -X)
> and reading the output at the start.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 133, Issue 8
> ************************************************
>
More information about the Freeradius-Users
mailing list