How many NAS kann radius take?

Thu Feb 13 11:14:35 CET 2014

Am Donnerstag, 13. Februar 2014, 11:03:36 schrieb Anja Ruckdaeschel:
> Hi there!
> 
> Having some performance trouble at our campus site with lots of "Discarding
> Duplicate request" errors.
> 
> Our setup is freeradius 2.2.0 with ldap and sql.  ; Intel Xeon CPU E5630
> 2.53GHz 2CPUs with 8 Core (hyperthreading enabled), 24 GB RAM
> 
> sql is only used to determine the replied VLAN-ID from a very small read
> only table by a local  mysql instance, so no performance or connection
> issues here (we do not do accounting into the db or anything like that).
> ldap works fast.
> And there are no messages from rlm_ldap or rlm_sql which indicate trouble
> with sql or ldap connections
> 
> So we kind of sorted out the "classic causes" for slowing down radius ....
> 
> 
> If our people move over the campus with ~3.000 smartphones with actvated
> wifi, request numbers increase when they enter new wi-fi cells and trouble
> begins:
> There is barely an auth ok or incorrect in the log but lots of discarding
> duplicates messages and cpu load is going up to 120 and a higher number of
> messages like
> 
> Tue Feb 11 18:22:37 2014 : Error: rlm_eap: No EAP session matching the State
> variable.
> 
> appears in the log.
> 
> I can see that there are a few messages like
> 
> Tue Feb 11 09:26:50 2014 : Info: WARNING: Module rlm_preprocess became
> unblocked for request 241193
> 
> and
> 
> Tue Feb 11 09:26:51 2014 : Info: WARNING: Module rlm_eap became unblocked
> for request 241193
> 
> at the time when the problem appears. Can this point to the preprocess
> module where it gets "slow", with eap getting blocked as a consequence of a
> blocked preprocess module? We have a lot of NAS in our environment: there
> are over 2200 NAS in total in clients.conf, which are  350 heavily used
> WLAN access points (auth only, no acct) and switches which do a
> administrative login only every 5 min, and ~ 10 VPN controllers.
> 
> As having so many NAS, preprocess has to do a max of 2200 expansion like
> 
> Fri Feb  7 15:41:16 2014 : Debug: [preprocess]  expand: %{Client-IP-Address}
> -> x.x.x.x
> 
> in order to determine the allowed client. That are ~26.400 checks for
> preprocess in one peap/mschap request for example (~12 request-packtes x
> NAS).
> 
> Is there some kind of "recommened maximum number of NAS" for one instance of
> freeradius?
> 
> 
> Here is our thread_pool and request config:
> 
> max_request_time = 120
> cleanup_delay = 5
> #256 x NAS (By the way: "This should be 256 multiplied by the number of
> clients. #  e.g. With 4 clients, this number should be 1024. " Is client in
> this contenxt supplicant or NAS?)
> 
> max_requests = 563200
> 
> thread pool {
>         start_servers = 5
>         max_servers = 128
>        min_spare_servers = 3
>         max_spare_servers = 128
>        #       max_queue_size = 65536
>        max_requests_per_server = 0
>  }
> 
> 
> Thanks for your help
> Kind regards Anja

Impressive numbers.

Do you have any kind of monitoring to measure the numbers
- requests / sec
- concurrent active requests
- medium time to answer a request?

-- 
Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140213/83a73bfa/attachment.pgp>