[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: RE: FreeRadius Re-Authentication Latency
From: "Smith, James" <james.smith () saabsensis ! com>
Date: 2018-02-21 20:08:03
Message-ID: EEE5E645A16A9D45B172BBF86723B76C66828EF5 () corpmail01 ! corp ! sensis ! com
[Download RAW message or body]
Okay thank you for the advice Alan.
I'll give eapol_test a try to see if that will improve performance.
Thanks,
James
-----Original Message-----
From: Freeradius-Users \
[mailto:freeradius-users-bounces+james.smith=saabsensis.com@lists.freeradius.org] On \
Behalf Of Alan DeKok
Sent: Friday, February 16, 2018 11:43 AM
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: FreeRadius Re-Authentication Latency
On Feb 16, 2018, at 9:56 AM, Smith, James <james.smith@saabsensis.com> wrote:
> I'm currently experiencing a latency issue with Siemens base stations and CPEs \
> re-authenticating to our FreeRadius server running version 3.0.4. (I understand \
> this version is a little old and should be updated. We will look into this in the \
> new future)
There are lots of fixes... you should be able to upgrade to 3.0.16 without changing \
anything in your existing configuration.
> Attached is my log file after running FreeRadius in debug mode. CPE9@siemens.com is \
> the specific host I'd like to look at but all of our CPEs are experiencing the same \
> issue. We use EAP-TTLS for authentication and it looks like it takes many sessions \
> (167 from what I can tell by looking at the Access-Request ID) to actually complete \
> the re-authentication process. The amount of sessions may vary for each CPE as they \
> can take 2-10 minutes to actually authenticate.
Try using eapol_test for testing. See http://deployingradius.com/ for \
instructions.
If eapol_test works in ~1/10s (and it will), then the problem is elsewhere in the \
network.
But a cheap AP and configure it to do RADIUS. If users can authenticate to those \
systems in 1/10s (and I suspect they will), then the problem is definitely not \
FreeRADIUS.
If that system also doesn't work, then the problem may be radio interference. i.e. \
not the CPE and not FreeRADIUS.
But if it does work, then your current equipment is garbage, and should be replaced \
with hardware that works.
> It starts on line 3546 and finally authenticates on line 18927.
It's possible to edit the debug output to show relevant information, instead of 20K \
lines of stuff..
> CPE (Suplicant) ----> NAS-Identifier = "BS" (Authenticator) ------> Radius Server
>
> Please let me know if you have any questions and/or if you think I have to tweak my \
> configuration somewhere to speed this up.
There is nothing in the FreeRADIUS configuration which says "slow down \
authentication".
All authentication attempts and retries are initiated by the end users system, \
and/or the CPE. If FreeRADIUS responses to the packets quickly, then the problem \
isn't FreeRADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
This message is intended only for the addressee and may contain information that is \
company confidential or privileged. Any technical data in this message may be \
exported only in accordance with the U.S. International Traffic in Arms Regulations \
(22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts \
730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not \
the intended recipient, or the person responsible for delivering to the intended \
recipient, you should not read, copy, disclose or otherwise use this message. If you \
have received this email in error, please delete it, and advise the sender \
immediately.
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic