FreeRadius slower than SBR

Alan DeKok aland at deployingradius.com
Tue Oct 31 16:15:01 CET 2006 

<Sean.Boran at swisscom.com> wrote:
> I'm proposing a FreeRadius solution for 802.1x authentication of Wired
> client based on Client certificates, a CRL lookup, and vlan assoociation
> from Active Directory.

  FreeRADIUS doesn't do CRL lookups right now (i.e. OCSP), but it's
probably not too hard to add.

> The IT department, who usuall buy Steel Belted Radius from Juniper, are
> saying FreeRadius is just too slow, and could not handle the traffic.

  Sure...  See the survey results I posted yesterday.  Ask Juniper how
many sites with more than 10 million users have deployed SBR.  Ask
them why their market share is 1/3 that of Cisco or IAS.  Ask them how
they do load balancing or failover to LDAP directories... they don't.

  Performance isn't everything.  And 99% of the servers performance is
limited by the back-end database.

> Now, I don't see the basis for these assertions and I would imagine the
> bottlenext being the CRL lookups and AD requests.

  Yes.

> I estimate the number of authentication sper sec to reach about 60 to
> 100 for this project.

  That's a lot for a sustained load.  And if that's a problem, you
need to buy more machines.  You don't say how many users you have, but
if you have a few hundred thousand (or more), I would *strongly*
suggest multiple RADIUS servers for redundancy, just in case one
hiccups.

  Oh, wait... you can't do that with SBR, because it's model is to pay
per server installation.  That means your network is *more* likely to
fail, because you're using 1-2 servers where a good design would use
3-4.

  Take the money you save by *not* buying SBR licenses, and buy more
machines.  Install FreeRADIUS on those machines, and your network will
be thank you for it. :)

> However I'd like to humbly ask the list what they think of such
> assertions, is there something in SBR that would make them much more
> scalable or faster?

  No.

> Where would the bottlenecks be?

  The database, and the SSL traffic.

> How many client cert auths/sec could FR handle, on say an entry level
> single CPU server HW?

  Not a lot.  If you're just doing PAP to the "users" file, the server
can handle 1000's to 10's of 1000's per second.  Add LDAP lookups, and
that probably drops to low 1000's per second.  Add SSL, and it drops
even more.  But SBR will have exactly the same issues with LDAP and
SSL, for exactly the same reason: 99% of the time will be spent
waiting for LDAP, or doing encryption.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list