I've been seeing some unexplained failures to authenticate 802.1X clients when my system is under heavier load, and I suspect that I don't have enough threads running. For reference, I currently have four servers in a load balanced group with identical configs. Thread settings are these: max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 We have about 14,500 wireless clients at peak times, though that number will climb, I'm sure. Is there a rule of thumb that will tell me how many threads I should have (max_servers)? Also, I suspect that there have been authentication failures due to all threads on a server being busy. Is there a good way to confirm that? I've poked around in the radiusd logs a bit, but haven't found much, other than the odd "Login failed" with no reason given. (For "normal" failures, there are two messages, one of which has a cause like "bad password" or "account locked out" or some such thing.) Advice is welcome. --J
McNutt, Justin M. wrote:
I've been seeing some unexplained failures to authenticate 802.1X clients when my system is under heavier load, and I suspect that I don't have enough threads running. For reference, I currently have four servers in a load balanced group with identical configs.
I hope you're doing load-balancing that is aware of EAP.
Thread settings are these:
max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0
That should usually be OK.
We have about 14,500 wireless clients at peak times, though that number will climb, I'm sure.
i.e. about 3.5K per RADIUS server. Unless the session timeouts are 2 minutes, that should be fine.
Is there a rule of thumb that will tell me how many threads I should have (max_servers)?
Not really. As an FYI, I know of a large accounting system which was running 400 threads 12 years ago. :) *That* is a busy system.
Also, I suspect that there have been authentication failures due to all threads on a server being busy. Is there a good way to confirm that?
The server won't log a message, unfortunately.
I've poked around in the radiusd logs a bit, but haven't found much, other than the odd "Login failed" with no reason given. (For "normal" failures, there are two messages, one of which has a cause like "bad password" or "account locked out" or some such thing.)
Increasing the number of threads might help. It won't hurt. Alan DeKok.
Hi,
max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0
we run up to 64 threads - keeping 32 as minimum. whats your EAP method used (I'm going to guess its EAP-PEAP/MSCHAPv2 and you are using ntlm_auth for the authentication? if so, there can be issues there due to the nature of that part of the system.... disk bound socket etc - and you may want to ensure you remove DNS as a bottleneck if doing KDC stuff - put entries into /etc/hosts (unfortuntately you cant put round robin entries into /etc/hosts). Using Cisco wireless? (not sure about other vendors..but Cisco issue is that ALL requests come from the same NAS port...which means you can only deal with 255 in-flight authentications without things going rather wonky - we've talked to them about this as its really not right) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
McNutt, Justin M.