How many NAS kann radius take?

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Thu Feb 13 11:03:36 CET 2014 

Hi there!

Having some performance trouble at our campus site with lots of "Discarding Duplicate request" errors.

Our setup is freeradius 2.2.0 with ldap and sql.  ; Intel Xeon CPU E5630 2.53GHz 2CPUs with 8 Core (hyperthreading enabled), 24 GB RAM

sql is only used to determine the replied VLAN-ID from a very small read only table by a local  mysql instance, so
no performance or connection issues here (we do not do accounting into the db or anything like that).
ldap works fast.
And there are no messages from rlm_ldap or rlm_sql which indicate trouble with
sql or ldap connections

So we kind of sorted out the "classic causes" for slowing down radius ....


If our people move over the campus with ~3.000 smartphones with actvated wifi, request numbers increase when they enter
new wi-fi cells and trouble begins: 
There is barely an auth ok or incorrect in the log but lots of discarding duplicates messages 
and cpu load is going up to 120 and a higher number of messages like 

Tue Feb 11 18:22:37 2014 : Error: rlm_eap: No EAP session matching the State variable.

appears in the log.

I can see that there are a few messages like

Tue Feb 11 09:26:50 2014 : Info: WARNING: Module rlm_preprocess became unblocked for request 241193

and

Tue Feb 11 09:26:51 2014 : Info: WARNING: Module rlm_eap became unblocked for request 241193

at the time when the problem appears. Can this point to the preprocess module where it gets "slow", with eap getting blocked as a consequence of a blocked preprocess module?
We have a lot of NAS in our environment: there are over 2200 NAS in total in clients.conf, which are  350 heavily used WLAN access points (auth only, no acct)
and switches which do a administrative login only every 5 min, and ~ 10 VPN controllers.

As having so many NAS, preprocess has to do a max of 2200 expansion like 

Fri Feb  7 15:41:16 2014 : Debug: [preprocess]  expand: %{Client-IP-Address} -> x.x.x.x

in order to determine the allowed client. That are ~26.400 checks for preprocess in one peap/mschap 
request for example (~12 request-packtes x NAS).

Is there some kind of "recommened maximum number of NAS" for one instance of freeradius?


Here is our thread_pool and request config:

max_request_time = 120
cleanup_delay = 5
#256 x NAS (By the way: "This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024. " Is client in this contenxt supplicant or NAS?)

max_requests = 563200 

thread pool {
        start_servers = 5
        max_servers = 128
       min_spare_servers = 3
        max_spare_servers = 128
       #       max_queue_size = 65536
       max_requests_per_server = 0
 }


Thanks for your help
Kind regards Anja

More information about the Freeradius-Users mailing list