<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/02/2014 12:35 PM, Rando Nakarmi
wrote:<br>
</div>
<blockquote
cite="mid:CAG+85v_n6A5H-av4QZ51LZphDnorggn_p7fzx-zk35jzM3v-cg@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">Hello John,
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>you increased max_request = 16384 (so you have only 64
clients ?)</div>
</div>
</blockquote>
<br>
That was a cut/paste from Phil Huxley who responded to my question.
I'm still figuring out how to optimize. I can say that the max
domain connections helped A LOT. However, the faster you churn, the
more you might hit the Cisco WLC bug. We've seen _less_ but we've
added radius servers and moved some controllers to their own radius
server pairs. I hate adding radius servers as I feel it masks the
real problem and it doesn't solve peak (change of classes) issues.<br>
<br>
<blockquote
cite="mid:CAG+85v_n6A5H-av4QZ51LZphDnorggn_p7fzx-zk35jzM3v-cg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>you set winbind max domain connections = 12 (how do I know
which value is right ) (we have around 300 clients (WAPs)</div>
</div>
</blockquote>
It's really mainly about handling peak connections. With 300 WAPs
you probably won't go that high. I have about 500 aps/controller but
we have 30k users online at once spread across maybe 20 controllers
with multiple controllers on each radius server.<br>
<br>
Actually I increased winbind max domain connections to 128. The way
I kind of felt that out was to (on the linux/unix server)<br>
<br>
lsof | grep winbind | grep TCP<br>
<br>
You can see the number of TCP connections to the AD server. We were
hitting or initial limit of 50 during peak times. I just increased
it to a high enough number so that I probably won't reach it. The
number of connections goes up and down. On a radius failover we
might be generating a lot of connections but they eventually close
and die off.<br>
<blockquote
cite="mid:CAG+85v_n6A5H-av4QZ51LZphDnorggn_p7fzx-zk35jzM3v-cg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>so I set the max_request= 300*256 (I use 256 the value
which is in the radious.conf file)</div>
<div><br>
</div>
<div>winbind max clients = 1200 ( has anybody used this
parameter ? is this mean how many winbind client can connect
to AD ?<br>
</div>
</div>
</blockquote>
<br>
I'm actually not 100% sure on that stat/setting. :) I don't think I
really care about it enough. No really sure how to determine this
one. The documentation isn't really pointing out what that means (on
samba.org)<br>
<blockquote
cite="mid:CAG+85v_n6A5H-av4QZ51LZphDnorggn_p7fzx-zk35jzM3v-cg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>--cheers</div>
<div>Rando</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 2, 2014 at 3:27 PM, John
Douglass <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:john.douglass@oit.gatech.edu" target="_blank">john.douglass@oit.gatech.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> :) Rando,<br>
<br>
There has been much discussion on this list about that
problem. IF you are using Cisco WLC, there is a flaw in
the way radius is processed which could lead to these log
messages. Here is the previous set of threads that have
some pointers as to what to look at.<br>
<br>
Cisco WLCs use the same source port and the 8-bit ID that
is used to track radius conversations during peak times,
gets cycled so fast that it creates duplicates where there
really shouldn't be. We are pushing Cisco hard to fix this
flaw in their design especially since they are creating
controllers with more and more capacity. The problem is
only going to get worse.<br>
<br>
I highly suggest you move to radius 2.2.5 and enable the
ntlm_auth timeout and upgrade your samba to 3.6 where you
can add some additional parameters. Here are some hints
that Phil Huxley shared with us that have been helpful in
making our services better. The issues haven't been
handled 100%, and there are other things to consider like
if using a Cisco WLC, enabling client exclusion, etc, etc
but I don't have a ton of info on that as I just run the
radius servers.<br>
<br>
<a moz-do-not-send="true"
href="http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html"
target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html</a><br>
<br>
- John Douglass @ Georgia Tech<br>
<br>
PS: I really need to write up a blog post about this :) <br>
PSS: Yes we know AD is slow and it sucks as a backend but
for a lot of us, it's what we have to deal with :)
<div>
<div class="h5"><br>
<br>
<br>
<div>On 10/02/2014 11:10 AM, Rando Nakarmi wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div>I been seeing quite a large number of message
like below logged in radius.log lately.</div>
<div><br>
</div>
Discarding duplicate request from client
classroom98 port 32880 - ID: 131 due to unfinished
request 241848<br>
<div><br>
</div>
<div>I read some thread, this might be the case
when back-end server (i.e auth servers) are too
slow to respond. </div>
<div><br>
</div>
<div>My back-end is AD, using ntlm_auth. </div>
<div>radius version 2.1.12-4</div>
<div>samba version 3.5.8-68</div>
<div><br>
</div>
<div>Any hints or suggestion how to resolve this
would be very helpful.</div>
<div><br>
</div>
<div>Most of the users get authenticated ( I don't
think ntlm_auth is responding slow), I could not
figure this out</div>
<div><br>
</div>
<div>--cheers,</div>
<div>Rando</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span class="">
<pre>-
List info/subscribe/unsubscribe? See <a moz-do-not-send="true" href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></pre>
</span></blockquote>
<br>
</div>
<br>
-<br>
List info/subscribe/unsubscribe? See <a
moz-do-not-send="true"
href="http://www.freeradius.org/list/users.html"
target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">-
List info/subscribe/unsubscribe? See <a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></pre>
</blockquote>
<br>
</body>
</html>