Server instability

[Nathan Hay]

I am a newbie, running 3 (for redundancy) FreeRadius servers (1.1.7) on
SUSE 10 SP1 (32-bit) to authenticate our wireless clients (PEAP
MSCHAPv2) to our eDirectory via LDAP.  We average 800-900 simultaneous
wireless clients (need to support a potential 4K in the future).
 
The setup works well and authenticates users very quickly, but every
couple days, the radiusd process will either blow up and start consuming
99% of the CPU or die altogether.  More often it blows up.  We had
stability problems initially, even when the process was running, so I
took everything out of the config that we didn't need and that seemed to
help.
 
Can anyone comment on our configuration and tell me if I'm doing
something wrong?  This is my first FreeRadius deployment and I don't
consider myself a Linux guru, let alone claim to know much about
Radius.
 
Thanks in advance,
 
Nathan Hay
Network Engineer
Cedarville University
 
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
 
user = radiusd
group = radiusd
 
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 512000
 
bind_address = *
port = 0
 
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = yes
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
 
usercollide = no
 
lower_user = no
lower_pass = no
 
nospace_user = no
nospace_pass = no
 
checkrad = ${sbindir}/checkrad
 
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
 
proxy_requests  = no
$INCLUDE  ${confdir}/clients.conf
snmp    = no
 
thread pool {
 
        start_servers = 16
        max_servers = 64
        min_spare_servers = 8
        max_spare_servers = 16
        max_requests_per_server = 0
}
 
modules {
 
$INCLUDE ${confdir}/eap.conf
 
        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
        }
 
        ldap {
                server = "XXX"
                identity = "cn=XXX,o=XXX"
                password = XXX
                basedn = "o=XXX"
                filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
                base_filter = "(objectclass=radiusprofile)"
                start_tls = yes
                tls_cacertfile  = /usr/local/etc/raddb/certs/ldap.cer
                tls_cacertdir           = /usr/local/etc/raddb/certs/
                tls_require_cert        = "demand"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 10
                password_attribute = nspmPassword
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
}
authorize {
        mschap
        eap
        ldap
}
authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
        eap
}
post-auth {
        ldap
        Post-Auth-Type REJECT {
                ldap
        }
}
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070924/94a44a79/attachment.html>