eap authentication and cpu utilization
Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? Or did someone some practical research on that issue? Norbert Wegener
Norbert Wegener wrote:
Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing.
It's all in the SSL rsa keying setup.
Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle?
$ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Alan DeKok.
Alan DeKok wrote:
.. $ openssl speed
Or
$ openssl speed rsa
http://www.madboa.com/geek/openssl/#benchmark-speed
For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s.
That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do.
Fine, that openssl switch has been new to me. Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running? Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running?
I don't have hard numbers, unfortunately. It also depends on the number, and kind of queries the server does for each request. If you do a simplistic analysis, you could assume that the two processes are simply stealing CPU time from each other. If I recall my numerical analysis courses... E = # of EAP requests/s (say 30 on a normal machine) Q = # of SQL qeuries/s (likely 1000 un-cached on a normal machine) Assuming one SQL query per EAP transaction, we have 'E' SQL queries/s. So E/Q = 3% of CPU time is being used for SQL. That is stolen directly from EAP requests, so there is 97% CPU time left, or .97*30 = 29 EAP transactions/s as a theoretical maximum. Realistically, there is a lot more overhead than this. But I would be surprised if it lowered the maximum number of EAP sessions by more than 10-20%. Alan DeKok.
-------- Original-Nachricht --------
Datum: Wed, 13 Feb 2008 19:04:25 +0100 Von: Norbert Wegener <norbert.wegener@siemens.com> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: eap authentication and cpu utilization
Alan DeKok wrote:
.. $ openssl speed
Or
$ openssl speed rsa
http://www.madboa.com/geek/openssl/#benchmark-speed
For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s.
That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do.
Fine, that openssl switch has been new to me. Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running?
Norbert Wegener
Alan DeKok. -
I don't know if it is helpful: As i mentioned in the other mailing-thread, i tried some kind of stress-test with freeradius and eap-tls. the freeradius-server is running on a virtual-machine (vmware-workstation) and the virtual suse linux server has about 300 mb ram and one cpu-core (intel xeon with 2.4 ghz (i think :-) ). i also installed a mysql-database and tried some tests with 4 simultaneous scripts on another server, that did eap-tls authentication requests. with my configuration, the freeradius-server can handle about 300 to 400 eap-tls-authentication-request per minute. the cpu load is about 30 - 35 %. Maybe this is helpful for you. :-) Sebastian -- Psst! Geheimtipp: Online Games kostenlos spielen bei den GMX Free Games! http://games.entertainment.web.de/de/entertainment/games/free
Sebastian Heil wrote:
with my configuration, the freeradius-server can handle about 300 to 400 eap-tls-authentication-request per minute. the cpu load is about 30 - 35 %.
That's less than 10/s. I think that the virtual server is running at a clock rate of about 800MHz, maybe less. There's some overhead/delay involved in RADIUS and EAP. But it shouldn't drop the performance by 80%. Alan DeKok.
Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the "thread pool" section and num_sql_socks, as I have a database backend. Norbert Wegener Alan DeKok wrote:
Sebastian Heil wrote:
with my configuration, the freeradius-server can handle about 300 to 400 eap-tls-authentication-request per minute. the cpu load is about 30 - 35 %.
That's less than 10/s. I think that the virtual server is running at a clock rate of about 800MHz, maybe less.
There's some overhead/delay involved in RADIUS and EAP. But it shouldn't drop the performance by 80%.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the "thread pool" section and num_sql_socks, as I have a database backend.
Yes. The interaction effects are strong. If there are fewer SQL sockets than threads, then the threads will block waiting for an SQL socket to become ready. At that point, performance drops significantly. I would be curious to know how many PAP authentications/s you can do with that database back-end. Knowing the 3 numbers will help scope interaction effects. e.g. OpenSSL says: S rsa/a PAP says: P requests/s EAP testing says: E requests/s You say E < S, but E << P, too... Alan DeKok.
Alan DeKok schrieb:
Norbert Wegener wrote:
Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the "thread pool" section and num_sql_socks, as I have a database backend.
Yes. The interaction effects are strong. If there are fewer SQL sockets than threads, then the threads will block waiting for an SQL socket to become ready. At that point, performance drops significantly.
I would be curious to know how many PAP authentications/s you can do with that database back-end. Knowing the 3 numbers will help scope interaction effects.
e.g. OpenSSL says: S rsa/a PAP says: P requests/s EAP testing says: E requests/s
You say E < S, but E << P, too...
Tuning all parameters in mysql/freeradius that I know of and that seemed to make sense, the maximum number of pap requests is about twice the number of rsa signatures. The bottleneck here seems to be mysql. radius used about 20% of the cpu, mysql about 80%. Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Norbert Wegener -
Sebastian Heil