On Sep 15, 2016, at 9:57 AM, Dave Aldwinckle <daldwinc@uwaterloo.ca> wrote:
During periods of high load, we are seeing many messages like the following:
radiusd[28187]: rlm_eap: No EAP session matching the State variable.
I understand the meaning of the message, but I need some assistance on how to go about locating the source of the problem.
If it's high load, the problem is starvation. Either the CPU is overloaded, or the back-end is overloaded.
During peak times, we have about 8K wireless logins per minute, for extended periods. We have 6 wireless controllers, from which the Access-Requests are sent. Due to the high load, I am unable to run the server with -X, because it gets crushed while running single threaded. I can use radmin, but I'm not sure what to set the debug condition to.
I don't see any errors about child processes being hung, or winbind/ntlm_auth taking too long.
Yeah, ntlm_auth typically maxes out at 100 to 200 authentications per second. That's likely the problem.
$ openssl speed rsa2048 Doing 2048 bit private rsa's for 10s: 5263 2048 bit private RSA's in 10.01s Doing 2048 bit public rsa's for 10s: 176233 2048 bit public RSA's in 10.00s
The server should be able to do 1000 or more EAP authentications per second.
So, a couple questions:
1. Is there a way to get more info along with the message "rlm_eap: No EAP session matching the State variable." ? - eg. Which NAS it came from, calling-station-id, etc.
The NAS information is in the other attributes. You can look at the post-auth-type Reject to log things.
2. Are the aforementioned values OK?
They're fine. Alan DeKok.