All, As Alan said re: AD authentication:
Yes. Your ntlm_auth process is taking too long, and is destroying FreeRADIUS. I can't be any clearer about that.
No amount of poking FreeRADIUS will make ntlm_auth run faster. And making ntlm_auth run faster is the ONLY solution to the problem.
I've said it before, and I'll say it again. Using Active Directory is a terrible decision for almost everyone. It's slow, awkward, unstable, etc.
FreeRADIUS can do 50K+ authentications per second from the "users" file. So there is no way the problem is caused by FreeRADIUS.
I agree, EAP-PEAP-MSCHAPv2 isn't great. But for 100% of our WPA-Enterprise clients, they all support EAP-PEAP-MSCHAPv2 natively. With central authentication (passwords) for 30k users, having an additional password or an additional password store is not ideal. We do not want to have to go to digital certificates just yet as there is a good bit of support overhead and management we just cannot provide at this time. If we agree that AD (EAP-PEAP-MSCHAPv2) is far from ideal, what other EAP types (outside of EAP-PEAP-TLS) do you recommend for end user authentication that is supported by native Windows, iOS, Android, and OSX clients? I imagine if there were a better option with similar properties and ties to central authentication, then we would all flock to it. - John Douglass, Sr. Systems Engineer