Performance issue with Freeradius (2.1.7) running Veriwave
Hi, I am running freeradius version 2.1.7. I am seeing some performance issue when I ran Veriwave AAA test with 15 clients connecting at the rate of 15 client/sec. The auth type is PEAP-MSCHAPv2 and using the local database (i.e. not radius). It is using the file as a db store which in our system is mapped to a ramdisk. The test runs for 30 sec. The auth rate was 9 auth/sec. The same test when ran against Microsoft AAA server gives 25 auth/sec. With Freeradius, out of 450 attempted authentications, 209 was successful and 241 was failed. For single client the authentication time is around 110 ms. Is this the expected number? From the mailing list, it seems 150 msec is what has been observed. The RSA key generation on the server is offloaded to the hardware. Without it the auth rate was only 3 auth/sec. Initially, I had threading option turned off and then later turned it on, but the numbers did not change much. I have tried various suggestion put forward in the mailing list including radius file access during authentication by moving file section from authorize section to authenticate section etc., but not much improvement. I also see something similar query raised, but did not find any satisfactory reply. http://freeradius.1045715.n5.nabble.com/Performance-with-Freeradius-1-1- 4-td2760808.html Any help on this will be appreciated. Thanks, Anurag ________________________________ From: Verma Anurag-VNF673 Sent: Wednesday, December 15, 2010 11:37 AM To: 'freeradius-devel@lists.freeradius.org' Subject: building freeradius statically Hi, I am trying to build static version of freeradius by passing --enable-static --enable-shared=no to configure. However, I get an error related to static link of dynamic object libltdl.so. In the make output I can see it is explicitly referring to this shared library. How can I tell it to link with libltdl.a (which is already existing) instead? Thanks, Anurag
Verma Anurag-VNF673 wrote:
The test runs for 30 sec. The auth rate was 9 auth/sec. The same test when ran against Microsoft AAA server gives 25 auth/sec.
On the same machine? Or on completely different hardware?
With Freeradius, out of 450 attempted authentications, 209 was successful and 241 was failed.
Do you know *why* they failed? That question might be interesting to answer.
For single client the authentication time is around 110 ms. Is this the expected number?
Since you haven't said *anything* about your system, I have no idea.
From the mailing list, it seems 150 msec is what has been observed. The RSA key generation on the server is offloaded to the hardware. Without it the auth rate was only 3 auth/sec.
Well... your CPU is really not powerful enough to do RSA. Don't blame FreeRADIUS.
I have tried various suggestion put forward in the mailing list including radius file access during authentication by moving file section from authorize section to authenticate section etc., but not much improvement.
RSA calculations are CPU bound. No amount of playing games with file access will increase the CPU power of the machine.
I also see something similar query raised, but did not find any satisfactory reply.
Use a faster CPU. Alan DeKok.
Alan,
On the same machine? Or on completely different hardware? Good point. It was on a different machine. Let me check the configuration.
Do you know *why* they failed? That question might be interesting to answer.
How do I find that. Running radiusd -X in debug mode slows it down. Is there anyway I can debug this further?
Since you haven't said *anything* about your system, I have no idea. I am not sure if I can disclose that, but the point is that I see the same performance number when done with Microsoft AAA server for a single authentication request. I forgot to mentioned that earlier.
Well... your CPU is really not powerful enough to do RSA. Don't blame FreeRADIUS. Use a faster CPU.
Well, the CPU is not doing it, RSA calculation is offloaded to hardware. So, not sure how faster CPU will help. Anurag
Alan,
On the same machine? Or on completely different hardware? Good point. It was on a different machine. Let me check the configuration.
Do you know *why* they failed? That question might be interesting to answer.
How do I find that. Running radiusd -X in debug mode slows it down. Is there anyway I can debug this further?
radiusd -X > radius.log & tail -f radius.log
Since you haven't said *anything* about your system, I have no idea. I am not sure if I can disclose that, but the point is that I see the same performance number when done with Microsoft AAA server for a single authentication request. I forgot to mentioned that earlier.
Well... your CPU is really not powerful enough to do RSA. Don't blame FreeRADIUS. Use a faster CPU.
Get out all modules if you don´t use it
Well, the CPU is not doing it, RSA calculation is offloaded to hardware. So, not sure how faster CPU will help.
I use a dual core to AAA 600K users, but mysql is out of box. Sometimes mysql is my problem... Toledo
Just to give you an idea of RSA calculation in h/w, this is what I get when I run openssl speed test. As per the documentation, the authentication rate should also reflect that, but the real numbers are nowhere close to this. # openssl speed -engine dataplane rsa2048 engine "dataplane" set. Doing 2048 bit private rsa's for 10s: 1125 2048 bit private RSA's in 7.76s Doing 2048 bit public rsa's for 10s: 2027 2048 bit public RSA's in 9.89s OpenSSL 0.9.8p 16 Nov 2010 built on: date options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr) compiler: CFLAGS available timing options: TIMES TIMEB HZ=100 [sysconf value] timing function used: times sign verify sign/s verify/s rsa 2048 bits 0.006898s 0.004879s 145.0 205.0 Anurag -----Original Message----- From: Verma Anurag-VNF673 Sent: Friday, December 17, 2010 4:54 PM To: 'FreeRadius developers mailing list' Subject: RE: Performance issue with Freeradius (2.1.7) running Veriwave Alan,
On the same machine? Or on completely different hardware? Good point. It was on a different machine. Let me check the configuration.
Do you know *why* they failed? That question might be interesting to answer.
How do I find that. Running radiusd -X in debug mode slows it down. Is there anyway I can debug this further?
Since you haven't said *anything* about your system, I have no idea. I am not sure if I can disclose that, but the point is that I see the same performance number when done with Microsoft AAA server for a single authentication request. I forgot to mentioned that earlier.
Well... your CPU is really not powerful enough to do RSA. Don't blame FreeRADIUS. Use a faster CPU.
Well, the CPU is not doing it, RSA calculation is offloaded to hardware. So, not sure how faster CPU will help. Anurag
Verma Anurag-VNF673 wrote:
Just to give you an idea of RSA calculation in h/w, this is what I get when I run openssl speed test. As per the documentation, the authentication rate should also reflect that, but the real numbers are nowhere close to this. ... sign verify sign/s verify/s rsa 2048 bits 0.006898s 0.004879s 145.0 205.0
OK. It should be able to do ~70 EAP authentications/s, due to added network latencies. If it doesn't do that, you edited the default config, and broke it. Start with the default install. Use the test certificates. Put ONE username && password in the "users" file. Do performance tests. You'll get ~70 authentications/s. Alan DeKok.
On 2010-12-17, at 4:39 AM, Verma Anurag-VNF673 wrote: The test runs for 30 sec. The auth rate was 9 auth/sec. The same test when ran against Microsoft AAA server gives 25 auth/sec. You're doing something wrong for sure, I can easily process thousands of requests every second. There is a lot of parameters that you haven't given us and you just told us that you aren't even using the same setup for both tests. Either way I doubt this is a conversation for the developers mailing list. -Gabe
Dear FreeRadius Developers, Can multiple radius clients on the same server send request to Freeradius? I ask this question because they may be producing the same UniqueId in the packages. I believe that, if freeradius use check ip+unique id combination to identify packages from specific BRAS, it will cause problem. Othwise, there should not be any issue. Regards, Murat Ozturk
participants (5)
-
Alan DeKok -
Gabriel Blanchard -
Murat Öztürk -
Toledo, Luis Carlos -
Verma Anurag-VNF673