(RADIATOR) Accelerating Authentication Process
Bon sy
bon at bunny.cs.qc.edu
Thu Sep 18 05:36:12 CDT 2003
I have the same experience on Cisco AP350/352. This is my observation.
Please feel free to correct me if below is less than accurate:
On a level 4 trace, EAP authentication process itself takes 2-3 secs
just to scroll out the details of hand shaking (to the terminal). I
am not sure there is anything you can do. However, the association is
stored in the AP and it will not need re-authentication unless the
client drops the connections. Nonetheless, the TKIP key rotation process
overhead is still there.
Bon
On Thu, 18 Sep 2003, Denis Pavani wrote:
> Well, I use Cisco Aironet 340 and I got a quite slow authentication,
> too. But looking interactively at radius.log I see auth request coming late.
> So, it's the AP slow in processing EAP requests.
> Could you check that?
>
> Bye
>
> kpracher at bsr.at wrote:
>
> >
> > Hi!
> >
> > I set up and configured Radiator so that it works just fine. My Users
> > are working on MS-DOS- and WinCE-based WLAN devices which are
> > installed on fork-lift truck. They are driving around in a big storage
> > hall where some Cisco access points are installed.
> >
> > When the users are moving around, they are roamed between the
> > different access points, where they are authenticated each time. But
> > the authentication process takes about 3 seconds and that is much to
> > long. Do I have the opportunity to accelerate the authentication
> > process or is there a way to tell the "next" access point that one
> > user has been authenticated on another access point.
> >
> > Following I attach my configuration and the logfiles for the
> > authentication on one access point. What makes me wondering a bit and
> > also takes a lot of time is, that I have been authenticated two times,
> > but I only loged in once (I am quite sure about that)
> >
> > I hope someone can help me.
> >
> > Thanks
> >
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > - - - - - - - - -
> > #Configuration for Radiator Radius Server Demo 3.6
> > #OS : Linux
> > #---------------------------------------------------------------------------
> >
> >
> > Foreground
> > LogStdout
> > Trace 4
> >
> > AuthPort 1812
> > AcctPort 1813
> >
> > LogDir /etc/radiator/logs
> > LogFile %L/Logfile_%Y%m%d
> >
> > DbDir /etc/radiator/confs
> > DictionaryFile %D/dictionary
> >
> > <Client 192.168.1.180>
> > Secret xxx
> > PacketTrace
> > IgnoreAcctSignature
> > </Client>
> >
> > <Realm DEFAULT>
> > <AuthBy FILE>
> > Filename %D/users
> > RejectEmptyPassword
> > EAPType LEAP
> > </AuthBy>
> >
> > <AuthLog FILE>
> > Filename %L/Authlog_%Y%m%d
> > LogSuccess 1
> > LogFailure 1
> > </AuthLog>
> >
> > AcctLogFileName %L/Acctlog_%Y%m%d
> >
> > PacketTrace
> > </Realm>
> >
> > <Monitor>
> > Port xxxx
> > Clients 127.0.0.1
> > Username xxx
> > Password xxx
> > </Monitor>
> >
> >
> >
> >
> >
> >
> >
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > - - -
> > #Logfile of Radiator Radius Server Demo 3.6
> > #----------------------------------------------------------------
> >
> > Wed Sep 17 15:22:59 2003: DEBUG: Packet dump:
> > *** Received from 192.168.1.180 port 1085 ....
> > Code: Access-Request
> > Identifier: 61
> > Authentic: <200>#<154>_V<240><132><175><17><217>X<208>)<179><199>m
> > Attributes:
> > User-Name = "Karl"
> > cisco-avpair = "ssid=xxx"
> > NAS-IP-Address = 192.168.1.180
> > Called-Station-Id = "000d28240a8a"
> > Calling-Station-Id = "000bfd92f6e3"
> > NAS-Identifier = "AP1200"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login-User
> > EAP-Message = <2><15><0><9><1>Karl
> > Message-Authenticator =
> > <244><150><165><16><251>(<193><5><146>h5{R<189><13><132>
> >
> > Wed Sep 17 15:23:00 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Wed Sep 17 15:23:00 2003: DEBUG: Deleting session for Karl,
> > 192.168.1.180, 37
> > Wed Sep 17 15:23:00 2003: DEBUG: Handling with Radius::AuthFILE:
> > Wed Sep 17 15:23:00 2003: DEBUG: Handling with EAP: code 2, 15, 9
> > Wed Sep 17 15:23:00 2003: DEBUG: Response type 1
> > Wed Sep 17 15:23:00 2003: DEBUG: Access challenged for Karl: EAP LEAP
> > Challenge
> > Wed Sep 17 15:23:01 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.1.180 port 1085 ....
> >
> > Packet length = 60
> > 0b 3d 00 3c 23 f6 81 58 b3 5a 3b f2 5a bb 74 b1
> > 38 f6 02 1a 4f 16 01 10 00 14 11 01 00 08 3c 7b
> > 62 65 b1 e1 21 5e 4b 61 72 6c 50 12 b6 29 11 f4
> > 76 3a a6 16 11 5e 5c 4e 43 33 62 57
> > Code: Access-Challenge
> > Identifier: 61
> > Authentic: <200>#<154>_V<240><132><175><17><217>X<208>)<179><199>m
> > Attributes:
> > EAP-Message = <1><16><0><20><17><1><0><8><{be<177><225>!^Karl
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Wed Sep 17 15:23:01 2003: DEBUG: Packet dump:
> > *** Received from 192.168.1.180 port 1086 ....
> > Code: Access-Request
> > Identifier: 62
> > Authentic: <16>C<4>~<211><207>#I7z<31>h<128><218>Dg
> > Attributes:
> > User-Name = "Karl"
> > cisco-avpair = "ssid=xxx"
> > NAS-IP-Address = 192.168.1.180
> > Called-Station-Id = "000d28240a8a"
> > Calling-Station-Id = "000bfd92f6e3"
> > NAS-Identifier = "AP1200"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login-User
> > EAP-Message =
> > <2><16><0>$<17><1><0><24>A.B<2><242>(W<15><242><221><156><157><195><12><168><253><158><127><163><2>jR<212><146>Karl
> >
> > Message-Authenticator =
> > $<153><175><222><177>9<140>[<172>Eo><25>x<22><145>
> >
> > Wed Sep 17 15:23:02 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Wed Sep 17 15:23:02 2003: DEBUG: Deleting session for Karl,
> > 192.168.1.180, 37
> > Wed Sep 17 15:23:02 2003: DEBUG: Handling with Radius::AuthFILE:
> > Wed Sep 17 15:23:02 2003: DEBUG: Handling with EAP: code 2, 16, 36
> > Wed Sep 17 15:23:02 2003: DEBUG: Response type 17
> > Wed Sep 17 15:23:02 2003: DEBUG: Radius::AuthFILE looks for match with
> > Karl
> > Wed Sep 17 15:23:02 2003: DEBUG: Radius::AuthFILE ACCEPT:
> > Wed Sep 17 15:23:02 2003: DEBUG: Access accepted for Karl
> > Wed Sep 17 15:23:03 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.1.180 port 1086 ....
> >
> > Packet length = 44
> > 02 3e 00 2c 04 7f 46 81 e3 13 20 19 7e 46 e6 61
> > 67 bf 18 61 4f 06 03 10 00 04 50 12 c6 03 fa 3b
> > fe 57 6d 8e fc 91 3e e7 17 bc e2 dc
> > Code: Access-Accept
> > Identifier: 62
> > Authentic: <16>C<4>~<211><207>#I7z<31>h<128><218>Dg
> > Attributes:
> > EAP-Message = <3><16><0><4>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Wed Sep 17 15:23:03 2003: DEBUG: Packet dump:
> > *** Received from 192.168.1.180 port 1087 ....
> > Code: Access-Request
> > Identifier: 63
> > Authentic: <228><169>i<170><148>f-<159>PT<150>g<152><255><198>K
> > Attributes:
> > User-Name = "Karl"
> > cisco-avpair = "ssid=xxx"
> > NAS-IP-Address = 192.168.1.180
> > Called-Station-Id = "000d28240a8a"
> > Calling-Station-Id = "000bfd92f6e3"
> > NAS-Identifier = "AP1200"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login-User
> > EAP-Message =
> > <1><16><0><20><17><1><0><8><202><224><144><140>'y<234><10>Karl
> > Message-Authenticator =
> > "<-<169><205>5<215><13>+/<8><238><208><6><224><211>
> >
> > Wed Sep 17 15:23:03 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Wed Sep 17 15:23:03 2003: DEBUG: Deleting session for Karl,
> > 192.168.1.180, 37
> > Wed Sep 17 15:23:04 2003: DEBUG: Handling with Radius::AuthFILE:
> > Wed Sep 17 15:23:04 2003: DEBUG: Handling with EAP: code 1, 16, 20
> > Wed Sep 17 15:23:04 2003: DEBUG: EAP Request 17
> > Wed Sep 17 15:23:04 2003: DEBUG: Radius::AuthFILE looks for match with
> > Karl
> > Wed Sep 17 15:23:04 2003: DEBUG: Radius::AuthFILE ACCEPT:
> > Wed Sep 17 15:23:04 2003: DEBUG: Access accepted for Karl
> > Wed Sep 17 15:23:05 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.1.180 port 1087 ....
> >
> > Packet length = 135
> > 02 3f 00 87 32 fd be 57 c9 ad d2 bb b0 f2 c2 d6
> > f0 ba 1c 77 4f 26 02 10 00 24 11 01 00 18 8a 1f
> > a6 24 03 9c dc 04 29 0f eb b5 9e 2a de 91 d0 3c
> > 43 2e 01 bc 0d 79 4b 61 72 6c 50 12 70 26 65 15
> > 24 93 79 96 6f 50 e0 85 be 10 d5 00 1a 3b 00 00
> > 00 09 01 35 6c 65 61 70 3a 73 65 73 73 69 6f 6e
> > 2d 6b 65 79 3d 97 32 d2 b0 29 d4 48 06 ec 45 e5
> > 28 14 53 05 46 b7 4c 83 75 2d 46 49 45 49 86 8e
> > d1 f5 c0 3a eb df 81
> > Code: Access-Accept
> > Identifier: 63
> > Authentic: <228><169>i<170><148>f-<159>PT<150>g<152><255><198>K
> > Attributes:
> > EAP-Message =
> > <2><16><0>$<17><1><0><24><138><31><166>$<3><156><220><4>)<15><235><181><158>*<222><145><208><C.<1><188><13>yKarl
> >
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > cisco-avpair =
> > "leap:session-key=<151>2<210><176>)<212>H<6><236>E<229>(<20>S<5>F<183>L<131>u-FIEI<134><142><209><245><192>:<235><223><129>"
> >
> >
> >
> >
> >
> >
> >
> > - - - - - - - - - - - - - - - - - - - -
> > #Authentication Sucess
> > #---------------------------------
> > Wed Sep 17 15:23:02 2003:Karl::OK
> > Wed Sep 17 15:23:04 2003:Karl::OK
>
>
> --
> ************************************************************************
> Denis Pavani
>
> CINECA - Comunicazioni e Sistemi Distribuiti
> NOC - Network Operations Center
>
> phone:+39 0516171953 / fax:+39 0516132198
> http://www.cineca.it
> ************************************************************************
> "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
> -- Gunny Highway
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list