Following multiple tracks to fi xthe problem ... We are not using samba or pam or ntlm_auth. we have eDirectory ldap. We have no load balancers in the game. We use 2 to 3 different ldap serves for one radius servers with balancing over a DNS round robin, no load-balance or failover over radius config. So the ldap guys can change the round robin to their needs when doing updates etc. without editing radius config files. Tests with exact one ldap server showed no differences. Ldap response times went e.g. from 0.1 s to 0.2 s when the problem appears, but then we do a lot more ldap queries, too. So I think, that´s quite normal.? Here are our authentication methods: PAP with or without ldap for switches, routers and dial-in servers (cisco, hp, max ascend) and for Juniper VPN controllers (only those devices do accounting) CHAP PAP with or without ldap for switches and routers (cisco, hp) For Wi-Fi: PEAP/MSCHAPv2 and EAP/TTLS-PAP with 350 lancom aps and 1 Colubris Controller with does 2 different SSIDs with ldap for our users at home and those proxied in via the eduroam-project, for which we are service provider and identity provider 90% of our radius requests are coming in over Wi-Fi. ldap, sql and so on are only called in inner-tunnel (3 Packets) I think we have quite a default config, but with a few modules commented out (e.g. unix, radutmp, ... we don´t need) and a few policies in place to reduce unnecessary stuff like querying ldap or sql in default, when its peap. Short eap timeouts on client devices and sleep mode increased our radius requests for the last two years. There are single users doing up to ~ 1500 login requests per day from one device. But there is nothing we can do about that :-( "Some NASes e.g. Cisco lightweight wireless use a single UDP source port, so at most 256 requests can be in-flight at any given time" could be our problem to because our lancom access points do the same. Does this mean that when one NAS is sending more than 256 Access-Requests from one port freeradius cannot process one more at that time from this NAS? Thanks Anja
Phil Mayers <p.mayers@imperial.ac.uk> 13.02.2014 12:03 >>> On 13/02/14 10:14, Michael Schwartzkopff wrote: If our people move over the campus with ~3.000 smartphones with actvated wifi, request numbers increase when they enter new wi-fi cells and trouble begins: There is barely an auth ok or incorrect in the log but lots of discarding duplicates messages and cpu load is going up to 120 and a higher number of messages like
Yes, lots of people have run into this in the last year or so. Are you using Samba + ntlm_auth? The underlying reasons are uncertain, and I'm not sure anyone has a complete understanding, but relevant issues are: 1. Samba sites: * Older versions of Samba with scale limits * AD RPC pipe is, by design, synchronous and head-of-line blocking, so 1 slow/failed auth will block everyone else * Slow AD controllers can trigger the above too 4. Very short EAP timeouts on newer client devices 5. Some NASes e.g. Cisco lightweight wireless use a single UDP source port, so at most 256 requests can be in-flight at any given time 6. Newer client devices staying on the wireless in sleep mode 7. Lack of fast roaming 8. Exhaustion of the thread pool in FreeRADIUS when samba/ldap/whatever slows down ...and more. If you can give a bit more detail about how you are doing your authentication, I can suggest some pointers. There's a bunch of discussion on the list around October time. Probably most relevant, if you are using Samba: 1. Upgrade to 2.2.3, which has a configurable, sensible timeout for ntlm_auth 2. Upgrade to Samba 3.6.x and set "winbind max domain connections = 12" 3. Ensure your AD controllers are responding in a timely fashion by starting a long-running tcpdump ring-buffer capture and post-processing it with tshark to extract MS-RPC PDU IDs & response times. I can give more info on this if you need. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html