802.1X Extra Miles
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed May 4 21:26:26 CEST 2016
> On 4 May 2016, at 11:07, Johnny R <vasiana09 at gmail.com> wrote:
>
> I m wondering if there is another 'obvious' way to handle non-802.1X
> capable equipment apart from checking their MAC :(. OS fingerprinting,
> seems a little bit ... more than an extra mile :)
>
Device fingerprinting, web-auth, those are pretty much the only options.
Better to use a switch that can perform ip filtering with dynamic rules from RADIUS to restrict incoming and outgoing connections.
-Arran
>
> v4s[at]#unrelated | "sh3ll is just the beginning"
>
> .__
> _____ _______ ____ ___________ |__| ____ _____
> \__ \\_ __ \/ _ \/ ___/\__ \ | |/ \\__ \
> / __ \| | \( <_> )___ \ / __ \| | | \/ __ \_
> (____ /__| \____/____ >(____ /__|___| (____ /
> \/ \/ \/ \/ \/
>
>
>
>
>> On Wed, May 4, 2016 at 8:49 PM, Igor Novgorodov <igor at novg.net> wrote:
>>
>> Nope, it has complicated logic based on Calling-Station-Id, NAS-IP-Address
>> & multiple SQL queries.
>> With EAP it would, of course, use more CPU (if over TLS - even worse).
>> We currently have about 150% of a Xeon E5-2630 core used at peak times.
>>
>>
>>> On 04/05/16 19:52, Arran Cudbard-Bell wrote:
>>>
>>>> On 4 May 2016, at 09:33, Igor Novgorodov <igor at novg.net> wrote:
>>>>
>>>> We're running FreeRADIUS that authenticates 5-6 *million* users per day
>>>> (with peaks about 1000 requests per second) on a small VM with 4 vCPU.
>>> That's with EAP?
>>>
>>> -Arran
>>>
>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>>> FreeRADIUS Development Team
>>>
>>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list