802.1X Extra Miles

Johnny R vasiana09 at gmail.com
Thu May 5 06:41:07 CEST 2016 

# Arran: Totally right !


v4s[at]#unrelated | "sh3ll is just the beginning"

                                 .__
_____ _______  ____  ___________  |__| ____ _____
\__  \\_  __ \/  _ \/  ___/\__  \ |  |/    \\__  \
 / __ \|  | \(  <_> )___ \  / __ \|  |   |  \/ __ \_
(____  /__|   \____/____  >(____  /__|___|  (____  /
     \/                 \/      \/        \/     \/




On Wed, May 4, 2016 at 10:26 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
>
> > On 4 May 2016, at 11:07, Johnny R <vasiana09 at gmail.com> wrote:
> >
> > I m  wondering if there is another 'obvious' way to handle non-802.1X
> > capable equipment apart from checking their MAC :(. OS fingerprinting,
> > seems a little bit ... more than an extra mile :)
> >
>
> Device fingerprinting, web-auth, those are pretty much the only options.
>
> Better to use a switch that can perform ip filtering with dynamic rules
> from RADIUS to restrict incoming and outgoing connections.
>
> -Arran
>
> >
> > v4s[at]#unrelated | "sh3ll is just the beginning"
> >
> >                                 .__
> > _____ _______  ____  ___________  |__| ____ _____
> > \__  \\_  __ \/  _ \/  ___/\__  \ |  |/    \\__  \
> > / __ \|  | \(  <_> )___ \  / __ \|  |   |  \/ __ \_
> > (____  /__|   \____/____  >(____  /__|___|  (____  /
> >     \/                 \/      \/        \/     \/
> >
> >
> >
> >
> >> On Wed, May 4, 2016 at 8:49 PM, Igor Novgorodov <igor at novg.net> wrote:
> >>
> >> Nope, it has complicated logic based on Calling-Station-Id,
> NAS-IP-Address
> >> & multiple SQL queries.
> >> With EAP it would, of course, use more CPU (if over TLS - even worse).
> >> We currently have about 150% of a Xeon E5-2630 core used at peak times.
> >>
> >>
> >>> On 04/05/16 19:52, Arran Cudbard-Bell wrote:
> >>>
> >>>> On 4 May 2016, at 09:33, Igor Novgorodov <igor at novg.net> wrote:
> >>>>
> >>>> We're running FreeRADIUS that authenticates 5-6 *million* users per
> day
> >>>> (with peaks about 1000 requests per second) on a small VM with 4 vCPU.
> >>> That's with EAP?
> >>>
> >>> -Arran
> >>>
> >>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> >>> FreeRADIUS Development Team
> >>>
> >>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> >>>
> >>>
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list