<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>I am a newbie, running 3 (for redundancy) FreeRadius servers (1.1.7) on SUSE 10 SP1 (32-bit) to authenticate our wireless clients (PEAP MSCHAPv2) to our eDirectory via LDAP. We average 800-900 simultaneous wireless clients (need to support a potential 4K in the future).</DIV>
<DIV> </DIV>
<DIV>The setup works well and authenticates users very quickly, but every couple days, the radiusd process will either blow up and start consuming 99% of the CPU or die altogether. More often it blows up. We had stability problems initially, even when the process was running, so I took everything out of the config that we didn't need and that seemed to help.</DIV>
<DIV> </DIV>
<DIV>Can anyone comment on our configuration and tell me if I'm doing something wrong? This is my first FreeRadius deployment and I don't consider myself a Linux guru, let alone claim to know much about Radius.</DIV>
<DIV> </DIV>
<DIV>Thanks in advance,</DIV>
<DIV> </DIV>
<DIV>Nathan Hay</DIV>
<DIV>Network Engineer</DIV>
<DIV>Cedarville University</DIV>
<DIV> </DIV>
<DIV>prefix = /usr/local<BR>exec_prefix = ${prefix}<BR>sysconfdir = ${prefix}/etc<BR>localstatedir = ${prefix}/var<BR>sbindir = ${exec_prefix}/sbin<BR>logdir = ${localstatedir}/log/radius<BR>raddbdir = ${sysconfdir}/raddb<BR>radacctdir = ${logdir}/radacct</DIV>
<DIV>confdir = ${raddbdir}<BR>run_dir = ${localstatedir}/run/radiusd</DIV>
<DIV>log_file = ${logdir}/radius.log</DIV>
<DIV>libdir = ${exec_prefix}/lib</DIV>
<DIV>pidfile = ${run_dir}/radiusd.pid</DIV>
<DIV> </DIV>
<DIV>user = radiusd<BR>group = radiusd</DIV>
<DIV> </DIV>
<DIV>max_request_time = 30</DIV>
<DIV>delete_blocked_requests = no</DIV>
<DIV>cleanup_delay = 5</DIV>
<DIV>max_requests = 512000</DIV>
<DIV> </DIV>
<DIV>bind_address = *</DIV>
<DIV>port = 0</DIV>
<DIV> </DIV>
<DIV>hostname_lookups = no</DIV>
<DIV>allow_core_dumps = no</DIV>
<DIV>regular_expressions = yes<BR>extended_expressions = yes</DIV>
<DIV>log_stripped_names = yes</DIV>
<DIV>log_auth = no</DIV>
<DIV>log_auth_badpass = no<BR>log_auth_goodpass = no</DIV>
<DIV> </DIV>
<DIV>usercollide = no</DIV>
<DIV> </DIV>
<DIV>lower_user = no<BR>lower_pass = no</DIV>
<DIV> </DIV>
<DIV>nospace_user = no<BR>nospace_pass = no</DIV>
<DIV> </DIV>
<DIV>checkrad = ${sbindir}/checkrad</DIV>
<DIV> </DIV>
<DIV>security {<BR> max_attributes = 200</DIV>
<DIV> reject_delay = 1</DIV>
<DIV> status_server = no<BR>}</DIV>
<DIV> </DIV>
<DIV>proxy_requests = no</DIV>
<DIV>$INCLUDE ${confdir}/clients.conf</DIV>
<DIV>snmp = no</DIV>
<DIV> </DIV>
<DIV>thread pool {</DIV>
<DIV> </DIV>
<DIV> start_servers = 16</DIV>
<DIV> max_servers = 64<BR> min_spare_servers = 8<BR> max_spare_servers = 16<BR> max_requests_per_server = 0<BR>}</DIV>
<DIV> </DIV>
<DIV>modules {</DIV>
<DIV> </DIV>
<DIV>$INCLUDE ${confdir}/eap.conf</DIV>
<DIV> </DIV>
<DIV> mschap {<BR> authtype = MS-CHAP</DIV>
<DIV> use_mppe = yes</DIV>
<DIV> require_encryption = yes</DIV>
<DIV> require_strong = yes<BR> }</DIV>
<DIV> </DIV>
<DIV> ldap {<BR> server = "XXX"</DIV>
<DIV> identity = "cn=XXX,o=XXX"<BR> password = XXX</DIV>
<DIV> basedn = "o=XXX"</DIV>
<DIV> filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"</DIV>
<DIV> base_filter = "(objectclass=radiusprofile)"</DIV>
<DIV> start_tls = yes</DIV>
<DIV> tls_cacertfile = /usr/local/etc/raddb/certs/ldap.cer</DIV>
<DIV> tls_cacertdir = /usr/local/etc/raddb/certs/</DIV>
<DIV> tls_require_cert = "demand"</DIV>
<DIV> dictionary_mapping = ${raddbdir}/ldap.attrmap</DIV>
<DIV> ldap_connections_number = 10</DIV>
<DIV> password_attribute = nspmPassword</DIV>
<DIV> edir_account_policy_check=no<BR> timeout = 4<BR> timelimit = 3<BR> net_timeout = 1<BR> }<BR>}<BR>authorize {<BR> mschap<BR> eap<BR> ldap<BR>}<BR>authenticate {<BR> Auth-Type MS-CHAP {<BR> mschap<BR> }<BR> Auth-Type LDAP {<BR> &n!
bsp; ldap<BR> }<BR> eap<BR>}<BR>post-auth {<BR> ldap<BR> Post-Auth-Type REJECT {<BR> ldap<BR> }<BR>}</DIV>
<DIV> </DIV></BODY></HTML>