FreeRADIUS + 802.1X wireless rollout questions

[Alan DeKok]

Walter Gould wrote:
> Here's where my concerns lie -  I am concerned about how many
> simultaneous authentication requests that a single Freeradius server can
> handle.  I have read the "Testimonials" and the "Why we're #1" pages on
> the freeradius site - which says there are numerous sites using
> freeradius to support more than 10,000 or 20,000 users.

  And, sites with 15,000,000 users.

>  Our school
> currently has around 21,000 students on our campus.  Of that 21,000 -
> there is usually around 1000 users logged into our wireless network at
> any given time, however, that number continually increases.

  The authentication load on the server is relatively easy to calculate.
 If you have N users on, each with an average session time of S seconds,
the load on the system will be N/S.

  e.g. 1K users, 20 minute session time (1200s) is about 1 auth/s.  That
is very little load...

  With EAP, there are multiple packet per user authentication, and SSL
setup overhead.  See raddb/certs/README.  Interaction with Active
Directory adds even more overhead.

  But a 2Gh machine should be fine.  As was pointed out, you'll need a
second machine for failover before the first one is at all busy.

> Questions:
> 1. Do any of you have feedback/thoughts/experience on how our freeradius
> server may handle the auth. request load given our situation?
> 
> 2. Do you think that we may need to tweak any of the settings in the
> radiusd.conf file  (max_requests, max_request_time, etc)?

  The default configuration should be pretty much fine.

> 3.  Any other advice/suggestions you have or think of would be welcome
> and appreciated.

  Test the system to prove for yourself that the above numbers are true.
 Use "eapol_test" from "wpa_supplicant" on client machines to hammer the
server with test authentications.  That will give you a *measured*
number for server performance.

  Alan DeKok.