Hi,
> On 30 Mar 2016, at 14:55, Hartmaier Alexander
> <[email protected]> wrote:
>
> we use PEAP-TLS, EAP-PEAP as outer EAP type with EAP-TLS as inner.
> Not sure if the outher EAP-PEAP adds any real security as the Radiator
> cert is the same one for both types as it only hides the transmission of
> the user cert which can be classified like a public key imho.
>
Ack.
> I've already tuned the EAPTLS_MaxFragmentSize to have as few roundtrips
> as possible (1350 for the outer PEAP and 1300 for the inner EAP-TLS).
>
Yes, unfortunately beside that the only real option to minimize a delay of an
EAP authentication is to
minimize the round-trips either by sending less certificate data or
by using an EAP method with fewer rounds.
> You see how I calculate the response_time in my email yesterday.
>
$p->{RecvTime} is set with a time of receive when an Access-Request is
received, so
$message->{response_time} = Radius::Util::timeInterval(
$p->{RecvTime},
$p->{RecvTimeMicros}, Radius::Util::getTimeHires());
will calculate a response time only for that Access-Request.
When running Radiator with Trace 4 or 5, a total time for an EAP
authentication can be seen in the log.
E.g.
Wed Mar 30 12:55:58 2016 816812: DEBUG: EAP Success, elapsed time 0.71221
We’ll add a feature, which will allow the total time along with an on-demand
timing to be used through %{...} special format in AuthLogs etc.
BR
--
Tuure Vartiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
