Dear Alan! Thank you for your reply. Changed max_request_time back to 30. modules/preprocess is unchanged default config and I did not change default or inner-tunnel at that point of authorize section either.... First thing I do with a huntgroup is to call a policy based on if (Huntgroup-Name == "bla") after eap { ok = return } in authorize. #RUAADD: rzur.radiusrejectcheckdefault Every nas has an entry in an include file for clients.conf like: client 172.31.134.10 { secret = *************** shortname = blafasel nastype = other } and an entry per NAS in an include file for huntrgoups like: ap Client-IP-Address == x.x.x.x ap NAS-IP-Address == x.x.x.x the clients.conf and huntgroups file only have one additional line: the include statement for my files. PS: no samba, no AD, no ntlm_auth, no load balancers Kind regards Anja
Alan DeKok <aland@deployingradius.com> 13.02.2014 15:18 >>> Anja Ruckdaeschel wrote: Having some performance trouble at our campus site with lots of "Discarding Duplicate request" errors.
Our setup is freeradius 2.2.0 with ldap and sql. ; Intel Xeon CPU E5630 2.53GHz 2CPUs with 8 Core (hyperthreading enabled), 24 GB RAM
That should be enough for many, many, EAP users. I've done testing with 500K clients, loaded from the "clients.conf" file. The server uses a lot of RAM, but it works. And performance isn't really different than with using one client.
If our people move over the campus with ~3.000 smartphones with actvated wifi, request numbers increase when they enter new wi-fi cells and trouble begins: There is barely an auth ok or incorrect in the log but lots of discarding duplicates messages and cpu load is going up to 120 and a higher number of messages like
Tue Feb 11 18:22:37 2014 : Error: rlm_eap: No EAP session matching the State variable.
The EAP sessions are timing out.
Tue Feb 11 09:26:50 2014 : Info: WARNING: Module rlm_preprocess became unblocked for request 241193
That's just weird. The preprocess module doesn't do much, so it shouldn't block for any perod of time.
and
Tue Feb 11 09:26:51 2014 : Info: WARNING: Module rlm_eap became unblocked for request 241193
Same here. The EAP module does SSL, but that's fairly quick for new CPUs.
We have a lot of NAS in our environment: there are over 2200 NAS in total in clients.conf, which are 350 heavily used WLAN access points (auth only, no acct) and switches which do a administrative login only every 5 min, and ~ 10 VPN controllers.
That won't cause a problem.
As having so many NAS, preprocess has to do a max of 2200 expansion like
Fri Feb 7 15:41:16 2014 : Debug: [preprocess] expand: %{Client-IP-Address} -> x.x.x.x
in order to determine the allowed client. That are ~26.400 checks for preprocess in one peap/mschap request for example (~12 request-packtes x NAS).
That will cause a problem. The "preprocess" module is intended for small sites. If you're going to do 2200 expansions with it, you're likely using it incorrectly. You should probably put these rules into a database, and do one SQL query. It will be MUCH faster. And why are you doing these expansions for every packet? What is the preprocess module doing? Odds are that you could do the same thing as one SQL query in the post-auth section, or in the inner-tunnel. That would speed up the system a LOT.
Is there some kind of "recommened maximum number of NAS" for one instance of freeradius?
Here is our thread_pool and request config:
max_request_time = 120
That's useless. Most NASes will give up after about 30s. All you're doing is wasting CPU time by setting this to 120.
cleanup_delay = 5 #256 x NAS (By the way: "This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. " Is client in this contenxt supplicant or NAS?)
It's the NAS. Please post a short description of what you're doing with the preprocess module. Doing 2200 %{Client-IP-Address} expansions is very, very, wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html