(RADIATOR) Accelerating Authentication Process

Hugh Irvine hugh at open.com.au
Wed Sep 17 20:13:18 CDT 2003 

Hello Karl -

I agree with you - the Radiator processing looks very slow.

Can you tell me what type of machine you are running (hardware and  
software distribution)?

And can you tell me what else is running on the machine? Perhaps you  
could run a "top" and send it to me?

The reason you are seeing two authentications is because the EAP  
handling is a multi-step process, so what you are seeing is "normal".

regards

Hugh


On Thursday, Sep 18, 2003, at 00:13 Australia/Melbourne,  
kpracher at bsr.at wrote:

>
> Hi!
>
> I set up and configured Radiator so that it works just fine. My Users  
> are working on MS-DOS- and WinCE-based WLAN devices which are  
> installed on fork-lift truck. They are driving around in a big storage  
> hall where some Cisco access points are installed.
>
> When the users are moving around, they are roamed between the  
> different access points, where they are authenticated each time. But  
> the authentication process takes about 3 seconds and that is much to  
> long. Do I have the opportunity to accelerate the authentication  
> process or is there a way to tell the "next" access point that one  
> user has been authenticated on another access point.
>
> Following I attach my configuration and the logfiles for the  
> authentication on one access point. What makes me wondering a bit and  
> also takes a lot of time is, that I have been authenticated two times,  
> but I only loged in once (I am quite sure about that)
>
> I hope someone can help me.
>
> Thanks
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
> - - - - - - - - -
> #Configuration for Radiator Radius Server Demo 3.6
> #OS : Linux
> #---------------------------------------------------------------------- 
> -----
>
> Foreground
> LogStdout
> Trace 4
>
> AuthPort 1812
> AcctPort 1813
>
> LogDir /etc/radiator/logs
> LogFile %L/Logfile_%Y%m%d
>
> DbDir /etc/radiator/confs
> DictionaryFile %D/dictionary
>
> <Client 192.168.1.180>
>         Secret xxx
>         PacketTrace
>         IgnoreAcctSignature
> </Client>
>
> <Realm DEFAULT>
>         <AuthBy FILE>
>                 Filename %D/users
>                 RejectEmptyPassword
>                 EAPType LEAP
>         </AuthBy>
>
>         <AuthLog FILE>
>                 Filename %L/Authlog_%Y%m%d
>                 LogSuccess 1
>                 LogFailure 1
>         </AuthLog>
>
>         AcctLogFileName        %L/Acctlog_%Y%m%d
>
>         PacketTrace
> </Realm>
>
> <Monitor>
>         Port xxxx
>         Clients 127.0.0.1
>         Username xxx
>         Password xxx
> </Monitor>
>
>
>
>
>
>
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
> - - -
> #Logfile of Radiator Radius Server Demo 3.6
> #----------------------------------------------------------------
>
> Wed Sep 17 15:22:59 2003: DEBUG: Packet dump:
> *** Received from 192.168.1.180 port 1085 ....
> Code:       Access-Request
> Identifier: 61
> Authentic:  <200>#<154>_V<240><132><175><17><217>X<208>)<179><199>m
> Attributes:
>         User-Name = "Karl"
>         cisco-avpair = "ssid=xxx"
>         NAS-IP-Address = 192.168.1.180
>         Called-Station-Id = "000d28240a8a"
>         Calling-Station-Id = "000bfd92f6e3"
>         NAS-Identifier = "AP1200"
>         NAS-Port = 37
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message = <2><15><0><9><1>Karl
>         Message-Authenticator =  
> <244><150><165><16><251>(<193><5><146>h5{R<189><13><132>
>
> Wed Sep 17 15:23:00 2003: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Sep 17 15:23:00 2003: DEBUG:  Deleting session for Karl,  
> 192.168.1.180, 37
> Wed Sep 17 15:23:00 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Sep 17 15:23:00 2003: DEBUG: Handling with EAP: code 2, 15, 9
> Wed Sep 17 15:23:00 2003: DEBUG: Response type 1
> Wed Sep 17 15:23:00 2003: DEBUG: Access challenged for Karl: EAP LEAP  
> Challenge
> Wed Sep 17 15:23:01 2003: DEBUG: Packet dump:
> *** Sending to 192.168.1.180 port 1085 ....
>
> Packet length = 60
> 0b 3d 00 3c 23 f6 81 58 b3 5a 3b f2 5a bb 74 b1
> 38 f6 02 1a 4f 16 01 10 00 14 11 01 00 08 3c 7b
> 62 65 b1 e1 21 5e 4b 61 72 6c 50 12 b6 29 11 f4
> 76 3a a6 16 11 5e 5c 4e 43 33 62 57
> Code:       Access-Challenge
> Identifier: 61
> Authentic:  <200>#<154>_V<240><132><175><17><217>X<208>)<179><199>m
> Attributes:
>         EAP-Message = <1><16><0><20><17><1><0><8><{be<177><225>!^Karl
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Sep 17 15:23:01 2003: DEBUG: Packet dump:
> *** Received from 192.168.1.180 port 1086 ....
> Code:       Access-Request
> Identifier: 62
> Authentic:  <16>C<4>~<211><207>#I7z<31>h<128><218>Dg
> Attributes:
>         User-Name = "Karl"
>         cisco-avpair = "ssid=xxx"
>         NAS-IP-Address = 192.168.1.180
>         Called-Station-Id = "000d28240a8a"
>         Calling-Station-Id = "000bfd92f6e3"
>         NAS-Identifier = "AP1200"
>         NAS-Port = 37
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message =  
> <2><16><0>$<17><1><0><24>A.B<2><242>(W<15><242><221><156><157><195><12> 
> <168><253><158><127><163><2>jR<212><146>Karl
>         Message-Authenticator =  
> $<153><175><222><177>9<140>[<172>Eo><25>x<22><145>
>
> Wed Sep 17 15:23:02 2003: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Sep 17 15:23:02 2003: DEBUG:  Deleting session for Karl,  
> 192.168.1.180, 37
> Wed Sep 17 15:23:02 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Sep 17 15:23:02 2003: DEBUG: Handling with EAP: code 2, 16, 36
> Wed Sep 17 15:23:02 2003: DEBUG: Response type 17
> Wed Sep 17 15:23:02 2003: DEBUG: Radius::AuthFILE looks for match with  
> Karl
> Wed Sep 17 15:23:02 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Sep 17 15:23:02 2003: DEBUG: Access accepted for Karl
> Wed Sep 17 15:23:03 2003: DEBUG: Packet dump:
> *** Sending to 192.168.1.180 port 1086 ....
>
> Packet length = 44
> 02 3e 00 2c 04 7f 46 81 e3 13 20 19 7e 46 e6 61
> 67 bf 18 61 4f 06 03 10 00 04 50 12 c6 03 fa 3b
> fe 57 6d 8e fc 91 3e e7 17 bc e2 dc
> Code:       Access-Accept
> Identifier: 62
> Authentic:  <16>C<4>~<211><207>#I7z<31>h<128><218>Dg
> Attributes:
>         EAP-Message = <3><16><0><4>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Sep 17 15:23:03 2003: DEBUG: Packet dump:
> *** Received from 192.168.1.180 port 1087 ....
> Code:       Access-Request
> Identifier: 63
> Authentic:  <228><169>i<170><148>f-<159>PT<150>g<152><255><198>K
> Attributes:
>         User-Name = "Karl"
>         cisco-avpair = "ssid=xxx"
>         NAS-IP-Address = 192.168.1.180
>         Called-Station-Id = "000d28240a8a"
>         Calling-Station-Id = "000bfd92f6e3"
>         NAS-Identifier = "AP1200"
>         NAS-Port = 37
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message =  
> <1><16><0><20><17><1><0><8><202><224><144><140>'y<234><10>Karl
>         Message-Authenticator =  
> "<-<169><205>5<215><13>+/<8><238><208><6><224><211>
>
> Wed Sep 17 15:23:03 2003: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Sep 17 15:23:03 2003: DEBUG:  Deleting session for Karl,  
> 192.168.1.180, 37
> Wed Sep 17 15:23:04 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Sep 17 15:23:04 2003: DEBUG: Handling with EAP: code 1, 16, 20
> Wed Sep 17 15:23:04 2003: DEBUG: EAP Request 17
> Wed Sep 17 15:23:04 2003: DEBUG: Radius::AuthFILE looks for match with  
> Karl
> Wed Sep 17 15:23:04 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Sep 17 15:23:04 2003: DEBUG: Access accepted for Karl
> Wed Sep 17 15:23:05 2003: DEBUG: Packet dump:
> *** Sending to 192.168.1.180 port 1087 ....
>
> Packet length = 135
> 02 3f 00 87 32 fd be 57 c9 ad d2 bb b0 f2 c2 d6
> f0 ba 1c 77 4f 26 02 10 00 24 11 01 00 18 8a 1f
> a6 24 03 9c dc 04 29 0f eb b5 9e 2a de 91 d0 3c
> 43 2e 01 bc 0d 79 4b 61 72 6c 50 12 70 26 65 15
> 24 93 79 96 6f 50 e0 85 be 10 d5 00 1a 3b 00 00
> 00 09 01 35 6c 65 61 70 3a 73 65 73 73 69 6f 6e
> 2d 6b 65 79 3d 97 32 d2 b0 29 d4 48 06 ec 45 e5
> 28 14 53 05 46 b7 4c 83 75 2d 46 49 45 49 86 8e
> d1 f5 c0 3a eb df 81
> Code:       Access-Accept
> Identifier: 63
> Authentic:  <228><169>i<170><148>f-<159>PT<150>g<152><255><198>K
> Attributes:
>         EAP-Message =  
> <2><16><0>$<17><1><0><24><138><31><166>$<3><156><220><4>)<15><235><181> 
> <158>*<222><145><208><C.<1><188><13>yKarl
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         cisco-avpair =  
> "leap:session- 
> key=<151>2<210><176>)<212>H<6><236>E<229>(<20>S<5>F<183>L<131>u- 
> FIEI<134><142><209><245><192>:<235><223><129>"
>
>
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
> #Authentication Sucess
> #---------------------------------
> Wed Sep 17 15:23:02 2003:Karl::OK
> Wed Sep 17 15:23:04 2003:Karl::OK

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list