[RADIATOR] Radiator fails in distinguishing parallel EAP authentication
Jan Tomasek
jan at tomasek.cz
Tue Mar 14 08:47:28 UTC 2017
Hello,
I did some experiments and it looks that Radiator (I'm running
4.16.1839-3) is only RADIUS servery which rely on Calling-Station-Id
attribute when dealing with parallel EAP authentication.
I've this setup:
Client ---> Radiator --+--> FreeRADIUS v3
+--> Cisco ISE 2.1
\--> MS NPS
Client is executing 20 parallel requests:
for i in `seq 15 35`
do
(/usr/local/rad_eap_test-git/rad_eap_test -H Radiator -P 1812 -S xx
-u xx -p xx -e PEAP -m WPA-EAP -t 15 -M 00:50:56:c0:00:$i ) &
done
Requests are being processed by Radiator or being forwarded to
FreeRADIS, ISE or NPS based on realm of username. Client definition on
Radiator is used to strip Calling-Station-Id. Results
With Calling-Station-Id enabled:
Radiator: 21x access-accept within 1s
FreeRADIUSv3: 18x access-accept time vary 1-5s; 3x access-reject ~11s
Cisco ISE: 21x access-accept within 1s
MS NPS: 21x access-accept within 1s
With Calling-Station-Id striped:
Radiator: 21x access-reject within 1s *
FreeRADIUSv3: 20x access-accept time vary 2-5s; 1x access-reject 8s
Cisco ISE: 21x access-accept within 1s
MS NPS: 21x access-accept within 1s
* in logs Radiator prints:
> Tue Mar 14 07:43:44 2017: ERR: EAP TLS error: -1, 1, 8466, 8623: 1 - error:140A1159:SSL routines:SSL_BYTES_TO_CIPHER_LIST:scsv received when renegotiating
>
> Tue Mar 14 07:43:44 2017: DEBUG: EAP Failure, elapsed time 0.043436
> Tue Mar 14 07:43:44 2017: DEBUG: EAP result: 1, EAP PEAP TLS error
> Tue Mar 14 07:43:44 2017: DEBUG: AuthBy LDAP2 result: REJECT, EAP PEAP TLS error
Do have anyone any idea what techniques for distinguishing parallel EAP
authentication is FreeRADIUS or maybe better ISE & NPS using, that they
are behaving much better?
Best regards
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
More information about the radiator
mailing list