How many NAS kann radius take?

[Phil Mayers]

On 13/02/14 10:14, Michael Schwartzkopff wrote:
>> If our people move over the campus with ~3.000 smartphones with actvated
>> wifi, request numbers increase when they enter new wi-fi cells and trouble
>> begins:
>> There is barely an auth ok or incorrect in the log but lots of discarding
>> duplicates messages and cpu load is going up to 120 and a higher number of
>> messages like

Yes, lots of people have run into this in the last year or so.

Are you using Samba + ntlm_auth?

The underlying reasons are uncertain, and I'm not sure anyone has a 
complete understanding, but relevant issues are:

  1. Samba sites:
     * Older versions of Samba with scale limits
     * AD RPC pipe is, by design, synchronous and head-of-line blocking, 
so 1 slow/failed auth will block everyone else
     * Slow AD controllers can trigger the above too
  4. Very short EAP timeouts on newer client devices
  5. Some NASes e.g. Cisco lightweight wireless use a single UDP source 
port, so at most 256 requests can be in-flight at any given time
  6. Newer client devices staying on the wireless in sleep mode
  7. Lack of fast roaming
  8. Exhaustion of the thread pool in FreeRADIUS when 
samba/ldap/whatever slows down

...and more.

If you can give a bit more detail about how you are doing your 
authentication, I can suggest some pointers. There's a bunch of 
discussion on the list around October time.

Probably most relevant, if you are using Samba:

  1. Upgrade to 2.2.3, which has a configurable, sensible timeout for 
ntlm_auth

  2. Upgrade to Samba 3.6.x and set "winbind max domain connections = 12"

  3. Ensure your AD controllers are responding in a timely fashion by 
starting a long-running tcpdump ring-buffer capture and post-processing 
it with tshark to extract MS-RPC PDU IDs & response times. I can give 
more info on this if you need.