On Dec 20, 2019, at 1:28 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
I would like to replace the windows NPS service with freeradius. Freeradius provides a lot better visibility and control than the Microsoft NPS service. However, doing some very rudimentary performance analysis and my freeradius server is ~4-5times slower than the Microsoft NPS service.
No.
My wireless controllers provide a "test your radius server" command and it outputs the response time. I am testing using a known bad username and password against both radius servers. According to the wireless controller the MS NPS returns a result in ~3ms, while Freeradius returns a response in ~1000ms.
See radiusd.conf, and the "reject_delay" parameter. The server delays rejects in order to prevent brute-force attacks. This isn't about the server being slow. It's about the sever being *secure*.
The NPS server I am benchmarking is in production and under load while the freeradius server I am testing is not.
Below is the output of freeradius -X as well as an example query. If anyone sees anything that might explain the ~300% performance difference, I'd appreciate it.
1000 / 3 = 300, or 30,000%. :)
security { max_attributes = 200 reject_delay = 1.000000
Read the comments in the default configuration around "reject_delay".
(0) Login incorrect: [foo/<via Auth-Type = mschap>] (from client aruba port 0 cli 0.0.0.0) (0) Delaying response for 1.000000 seconds
See? The debug output tells you *exactly* what it's doing. Please read it. You can set "reject_delay = 0", but it's not generally recommended. The wireless control should also use Status-Server for "test your RADIUS server" checks: https://tools.ietf.org/html/rfc5997 I published that standard a decade ago. It's high time vendors read it, and implemented it. Alan DeKok.