freeradius -> AD performance

Munroe Sollog mus3 at lehigh.edu
Fri Dec 20 19:55:12 CET 2019 

Thanks for the help.  I'll forward your suggestions to the vendor as well.

On Fri, Dec 20, 2019 at 1:45 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 20, 2019, at 1:28 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> >
> > I would like to replace the windows NPS service with freeradius.
> > Freeradius provides a lot better visibility and control than the
> Microsoft
> > NPS service.  However, doing some very rudimentary performance analysis
> and
> > my freeradius server is ~4-5times slower than the Microsoft NPS service.
>
>   No.
>
> > My wireless controllers provide a "test your radius server" command and
> it
> > outputs the response time.  I am testing using a known bad username and
> > password against both radius servers.  According to the wireless
> controller
> > the MS NPS returns a result in ~3ms, while Freeradius returns a response
> in
> > ~1000ms.
>
>   See radiusd.conf, and the "reject_delay" parameter.
>
>   The server delays rejects in order to prevent brute-force attacks.
>
>   This isn't about the server being slow.  It's about the sever being
> *secure*.
>
> >  The NPS server I am benchmarking is in production and under load
> > while the freeradius server I am testing is not.
> >
> > Below is the output of freeradius -X as well as an example query.  If
> > anyone sees anything that might explain the ~300% performance difference,
> > I'd appreciate it.
>
>   1000 / 3 = 300, or 30,000%. :)
>
> > security {
> >  max_attributes = 200
> >  reject_delay = 1.000000
>
>   Read the comments in the default configuration around "reject_delay".
>
> > (0) Login incorrect: [foo/<via Auth-Type = mschap>] (from client aruba
> port
> > 0 cli 0.0.0.0)
> > (0) Delaying response for 1.000000 seconds
>
>   See?  The debug output tells you *exactly* what it's doing.  Please read
> it.
>
>   You can set "reject_delay = 0", but it's not generally recommended.
>
>   The wireless control should also use Status-Server for "test your RADIUS
> server" checks:
>
> https://tools.ietf.org/html/rfc5997
>
>   I published that standard a decade ago.  It's high time vendors read it,
> and implemented it.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu

More information about the Freeradius-Users mailing list