|
is there such a thing as a wpa2 enterprise cert that macos & ios just accept or do i just gotta slum it with a let's encrypt cert that has a subject i control and click ok on every three months
|
# ? Dec 30, 2019 00:46 |
|
|
# ? Jun 11, 2024 15:08 |
|
Cocoa Crispies posted:it's not the network client to radius client thing that people want rest, it's the radius client to radius server part, and i bet you could design it so your authentication/accounting services would work in an edge cloud or something because *faaaart* RADIUS is just a transport around EAP, as far as authentication is concerned. You could potentially replace radius authorisation & accounting with another protocol and, in fact, some solutions do this (some VPN' solutions use Radius to auth the user, then LDAP to then map that user to groups, for example). What you could do, is make the NAS devices capable of authenticating users by having them parse and respond to EAP messages, as opposed to forwarding them to a AAA server, which then lets you do whatever the gently caress you want, and many solutions like that do exist out there. Contemporary VPN solutions, for example, often support SAML, LDAP, certificate based auth, etc without the use of RADIUS.
|
# ? Dec 30, 2019 00:59 |
|
abigserve posted:(some VPN' solutions use Radius to auth the user, then LDAP to then map that user to groups, for example). fuuuuuck palo alto e: palo alto also uses ldap for group mapping when your auth method supports returning group membership, e.g. saml. every single thing about the product is like that
|
# ? Dec 30, 2019 01:13 |
|
Nomnom Cookie posted:fuuuuuck palo alto nah they'll map groups onto fuckin anything if there is a username in the db and group mapping is configured. You can do it that way too though, where the authentication server returns the group membership but then it depends on the protocol (RADIUS/SAML/whatever)
|
# ? Dec 30, 2019 01:23 |
|
TIL iOS and Android support using QR codes for sharing wifi credentials. Go help your local bar with this.
|
# ? Dec 30, 2019 02:07 |
|
abigserve posted:nah they'll map groups onto fuckin anything if there is a username in the db and group mapping is configured. You can do it that way too though, where the authentication server returns the group membership but then it depends on the protocol (RADIUS/SAML/whatever) like hell am I gonna dig through the docs again but this is something that was specifically called out. I remember because I was still at a point where I was capable of being astonished by Palo Alto. you can do saml auth for globalprotect but the firewall will ignore any groups procided by the saml callback. also groups obtained from group mapping can’t be used as gateway selection criteria, presumably because group mapping hasn’t happened yet
|
# ? Dec 30, 2019 02:15 |
|
Jimmy Carter posted:TIL iOS and Android support using QR codes for sharing wifi credentials. Go help your local bar with this. i'm not scanning that goatse link. i know better
|
# ? Dec 30, 2019 02:34 |
|
my radius beef is when apps try to use if to user authn. the stuff i build with my stupid fartastic cloud deployments is premised upon ephemeral infrastructure, so when loving cyberark wants to use radius for user auth and my pam guy just assumes i will turn on my pingfederate's radius capabilities i get irked because i am stupidly trying to get us into the cloud like what the last 8 years of c-levels have said is the strategy, which is a place where we can't guarantee a fixed ip address. gently caress you, in preparation for zero trust we are using federated protocols for all authentication, so use saml2 or oidc or die in a fire- looking at you, microsoft, who literally built azuread on openid flows but still demands ws-trust/ws-fed if you want to retain control of your idp.
|
# ? Dec 30, 2019 02:43 |
|
Turnquiet posted:my radius beef is when apps try to use if to user authn. the stuff i build with my stupid fartastic cloud deployments is premised upon ephemeral infrastructure, so when loving cyberark wants to use radius for user auth and my pam guy just assumes i will turn on my pingfederate's radius capabilities i get irked because i am stupidly trying to get us into the cloud like what the last 8 years of c-levels have said is the strategy, which is a place where we can't guarantee a fixed ip address. gently caress you, in preparation for zero trust we are using federated protocols for all authentication, so use saml2 or oidc or die in a fire- looking at you, microsoft, who literally built azuread on openid flows but still demands ws-trust/ws-fed if you want to retain control of your idp. there is no legitimate use case for RADIUS for user auth on web apps aside from "we already have radius servers", that's dumb as hell (yes I am aware that most MFA providers use on-prem radius proxies to insert MFA into auth flows that would otherwise not be supported)
|
# ? Dec 30, 2019 03:26 |
|
Turnquiet posted:looking at you, microsoft, who literally built azuread on openid flows but still demands ws-trust/ws-fed if you want to retain control of your idp. weird that Microsoft would combine two unfashionable protocols in a baffling way
|
# ? Dec 30, 2019 03:48 |
|
Turnquiet posted:my radius beef is when apps try to use if to user authn. the stuff i build with my stupid fartastic cloud deployments is premised upon ephemeral infrastructure, so when loving cyberark wants to use radius for user auth and my pam guy just assumes i will turn on my pingfederate's radius capabilities i get irked because i am stupidly trying to get us into the cloud like what the last 8 years of c-levels have said is the strategy, which is a place where we can't guarantee a fixed ip address. gently caress you, in preparation for zero trust we are using federated protocols for all authentication, so use saml2 or oidc or die in a fire- looking at you, microsoft, who literally built azuread on openid flows but still demands ws-trust/ws-fed if you want to retain control of your idp. are you on aws, because you definitely can get a fixed IP on aws
|
# ? Dec 30, 2019 04:52 |
|
Nomnom Cookie posted:are you on aws, because you definitely can get a fixed IP on aws but this costs money
|
# ? Dec 30, 2019 04:58 |
|
graph posted:but this costs money nah just dont delete the eni
|
# ? Dec 30, 2019 05:03 |
|
asdf
|
# ? Dec 30, 2019 07:16 |
|
my stepdads beer posted:we use RADIUS for PPPoE because cisco's IPoE is buggy af on one of the agg routers we use and inertia. sorry about your 8 bytes of overhead everyone. PPPoE is real good for certain situations and realising you can functionally operate as an ISP for stuff like tenants and student accommodation is baller as hell
|
# ? Dec 30, 2019 07:19 |
|
yeah it works okay and it would be far too annoying to change at this point
|
# ? Dec 30, 2019 07:23 |
|
in all of yospos this thread most closely aligns with my profession and it js also the thread i understand the least in
|
# ? Dec 30, 2019 07:38 |
|
Bored Online posted:in all of yospos this thread most closely aligns with my profession and it js also the thread i understand the least in
|
# ? Dec 30, 2019 14:21 |
|
Bored Online posted:in all of yospos this thread most closely aligns with my profession and it js also the thread i understand the least in ignorance is bliss
|
# ? Dec 30, 2019 17:18 |
|
Nomnom Cookie posted:are you on aws, because you definitely can get a fixed IP on aws you get 5 elastic IPs per account, and they cost money and are usually (and justifiably) reserved by your cloud folk for some other, stupider use cases. just counting on never destroying the eni almost sounds like it would work if you didn't design your cluster for scaling and you connected directly to a combo admin/engine instance. for a clustered deployment you have n engines fielding requests, and those nodes attach to an nlb which is what the dns resolves to. and you don't get to control when/how was cycles your ip addresses behind your nlb/albs. i came up w/ a design that would allow us to fake a fixed ip via a proxy to our cluster, but it is an awful lot of effort when user auth should move on, and with oidc capable fo doing browser/mobile/back channel stuff i don't get why vendors haven't matured (psych i do, it's laziness/effort/money).
|
# ? Dec 30, 2019 17:33 |
|
Turnquiet posted:you get 5 elastic IPs per account, and they cost money and are usually (and justifiably) reserved by your cloud folk for some other, stupider use cases. just counting on never destroying the eni almost sounds like it would work if you didn't design your cluster for scaling and you connected directly to a combo admin/engine instance. for a clustered deployment you have n engines fielding requests, and those nodes attach to an nlb which is what the dns resolves to. and you don't get to control when/how was cycles your ip addresses behind your nlb/albs. how much radius are you doing that a single instance isn't enough, holy poo poo
|
# ? Dec 30, 2019 18:13 |
|
Nomnom Cookie posted:how much radius are you doing that a single instance isn't enough, holy poo poo Comcast has a nationwide wpa2 enterprise network
|
# ? Dec 30, 2019 18:43 |
|
Cocoa Crispies posted:Comcast has a nationwide wpa2 enterprise network they need to do more than several thousand requests/sec?
|
# ? Dec 30, 2019 18:58 |
|
|
# ? Dec 30, 2019 22:25 |
|
Nomnom Cookie posted:how much radius are you doing that a single instance isn't enough, holy poo poo i don't build for radius at scale, i build for saml/oauth/oidc at scale.
|
# ? Dec 30, 2019 22:43 |
|
Bored Online posted:in all of yospos this thread most closely aligns with my profession and it js also the thread i understand the least in Proast about what you are doing then Infrastructure and networking Jobs cum in different shapes and sizes but one way or another they are all terrible
|
# ? Dec 30, 2019 22:50 |
|
Nomnom Cookie posted:they need to do more than several thousand requests/sec? multiple instances aren't just for throughput and radius isn't just for yes/no authentication, so if there's a bunch of like accounting traffic that needs to be sharted that's going to mean you need to fan out those requests to a handful of hosts
|
# ? Dec 30, 2019 23:04 |
|
Cocoa Crispies posted:multiple instances aren't just for throughput and radius isn't just for yes/no authentication, so if there's a bunch of like accounting traffic that needs to be sharted that's going to mean you need to fan out those requests to a handful of hosts so it gets a load balancer and a dozen instances because thats how things are done in 2019. ok, fair enough
|
# ? Dec 31, 2019 01:25 |
|
...it can get stupider depending on the authentication product you are working with. i had a dream of a global authentication service that would determine the origination point of the request and georoute it to a cluster geographically close to the requestor to issue the auth token. this was easy enough to build using route53 and cloud formation with a product like pingfed- but the next bit would be figuring out how to do re-auth without generating consensus across all the global nodes once again. fortunately, pingfed allows you to do something called regional sub-clustering where you can validate existing tokens using a consensus algorithm across nodes within the indicated region (e.g. ap-southeast-12 has 3 nodes, and those 3 nodes only need to achieve consensus amongst themselves to validate an existing authentication session for some contractors authenticating our of noida india). so yeah, i need to run like 9 engines across 3 regions because the minimum count of nodes in a sub-cluster required to generate consensus on re-authentication is 3. funny thing is i like the pingfederate. like, a lot. it IS wasteful after a fashion, but depending upon what you care about running a couple extra nodes to give folk a good ux is worth the extra couple hundred dollars a year. yeah, i don't know much (like most overpaid idiots)- i'm an identity guy who bumbled into devops/cloud/ephemeral infrastructural to try to spare himself late night ops support calls. and it turns out i built something that did the job pretty well
|
# ? Dec 31, 2019 02:29 |
|
abigserve posted:Proast about what you are doing then i reset passwords, read hashicorp manuals, and write awful python to automate administrative tasks. its actually pretty chill cause the smarties let me pretend i do infrastructure sometimes
|
# ? Dec 31, 2019 03:23 |
|
that is how eduroam operates https://www.eduroam.org/how/
|
# ? Dec 31, 2019 16:59 |
|
thinking about doing the juniper service provider track to brush up, anyone know any decent online courses? also I only have cisco experience so it will be nice to branch out a bit
|
# ? Feb 11, 2020 11:16 |
|
Partycat posted:that is how eduroam operates "3 easy steps"
|
# ? Feb 11, 2020 16:29 |
|
why do so many linux systems still default to absurdly low open file limits. who is running anything approximating a multiuser system in tyool 2020. you would think overriding this would be a thing infra people bake into their images but nope. not even if you put a nice "HEY THIS SETTING IS hosed" message into application startup on the assumption they haven't
|
# ? Feb 12, 2020 10:46 |
|
ah, the thread of my people
|
# ? Feb 12, 2020 11:53 |
|
any of y’all tenants trying to get you to run a god dang “service mesh”? idk what real problems these things are trying to solve, I think they’re just inventing stuff for themselves to do
|
# ? Feb 12, 2020 12:04 |
|
Ploft-shell crab posted:any of y’all tenants trying to get you to run a god dang “service mesh”? idk what real problems these things are trying to solve, I think they’re just inventing stuff for themselves to do
|
# ? Feb 12, 2020 17:31 |
|
carry on then posted:MICROSERVICES!!!!! post/avatar synergy
|
# ? Feb 12, 2020 17:35 |
|
CMYK BLYAT! posted:why do so many linux systems still default to absurdly low open file limits. who is running anything approximating a multiuser system in tyool 2020. Also with Docker images, so easy to eat up hundreds of sockets with AWS health-check and client connections across Route 53. RHEL has been incredibly conservative on its settings for a long time.
|
# ? Feb 12, 2020 19:00 |
|
|
# ? Jun 11, 2024 15:08 |
|
Ploft-shell crab posted:any of y’all tenants trying to get you to run a god dang “service mesh”? idk what real problems these things are trying to solve, I think they’re just inventing stuff for themselves to do it’s purely to increase latency and resource overhead and to put more money in bezos’ pocket
|
# ? Feb 12, 2020 19:49 |