Hello John,
Thanks
you increased max_request = 16384 (so you have only 64 clients ?)
It's really mainly about handling peak connections. With 300 WAPs you probably won't go that high. I have about 500 aps/controller but we have 30k users online at once spread across maybe 20 controllers with multiple controllers on each radius server.you set winbind max domain connections = 12 (how do I know which value is right ) (we have around 300 clients (WAPs)
so I set the max_request= 300*256 (I use 256 the value which is in the radious.conf file)
winbind max clients = 1200 ( has anybody used this parameter ? is this mean how many winbind client can connect to AD ?
--cheersRando
On Thu, Oct 2, 2014 at 3:27 PM, John Douglass <john.douglass@oit.gatech.edu> wrote:
:) Rando,
There has been much discussion on this list about that problem. IF you are using Cisco WLC, there is a flaw in the way radius is processed which could lead to these log messages. Here is the previous set of threads that have some pointers as to what to look at.
Cisco WLCs use the same source port and the 8-bit ID that is used to track radius conversations during peak times, gets cycled so fast that it creates duplicates where there really shouldn't be. We are pushing Cisco hard to fix this flaw in their design especially since they are creating controllers with more and more capacity. The problem is only going to get worse.
I highly suggest you move to radius 2.2.5 and enable the ntlm_auth timeout and upgrade your samba to 3.6 where you can add some additional parameters. Here are some hints that Phil Huxley shared with us that have been helpful in making our services better. The issues haven't been handled 100%, and there are other things to consider like if using a Cisco WLC, enabling client exclusion, etc, etc but I don't have a ton of info on that as I just run the radius servers.
http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html
- John Douglass @ Georgia Tech
PS: I really need to write up a blog post about this :)
PSS: Yes we know AD is slow and it sucks as a backend but for a lot of us, it's what we have to deal with :)
On 10/02/2014 11:10 AM, Rando Nakarmi wrote:
I been seeing quite a large number of message like below logged in radius.log lately.Discarding duplicate request from client classroom98 port 32880 - ID: 131 due to unfinished request 241848
I read some thread, this might be the case when back-end server (i.e auth servers) are too slow to respond.
My back-end is AD, using ntlm_auth.radius version 2.1.12-4samba version 3.5.8-68
Any hints or suggestion how to resolve this would be very helpful.
Most of the users get authenticated ( I don't think ntlm_auth is responding slow), I could not figure this out
--cheers,Rando
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html