Antw: Re: How many NAS kann radius take?

Anja Ruckdaeschel Anja.Ruckdaeschel at
Thu Feb 13 17:30:07 CET 2014

Dear Alan!

Thank you for your reply.

Changed max_request_time back to 30.

modules/preprocess is unchanged default config and I did not change default or inner-tunnel at that point of authorize section either....
First thing I do with a huntgroup is to call a policy based on  if (Huntgroup-Name == "bla") after   eap { ok = return } in authorize.


Every nas has an entry in an include file for clients.conf like:
client {
        secret = ***************
        shortname = blafasel
        nastype = other

and an entry per NAS in an include file for huntrgoups like:

ap Client-IP-Address == x.x.x.x
ap NAS-IP-Address == x.x.x.x

the clients.conf and huntgroups file only have one additional line: the include statement for my files.

PS: no samba, no AD, no ntlm_auth, no load balancers

Kind regards Anja

>>> Alan DeKok <aland at> 13.02.2014 15:18 >>>
Anja Ruckdaeschel wrote:
> Having some performance trouble at our campus site with lots of "Discarding Duplicate request" errors.
> Our setup is freeradius 2.2.0 with ldap and sql.  ; Intel Xeon CPU E5630 2.53GHz 2CPUs with 8 Core (hyperthreading enabled), 24 GB RAM

  That should be enough for many, many, EAP users.

  I've done testing with 500K clients, loaded from the "clients.conf"
file.  The server uses a lot of RAM, but it works.  And performance
isn't really different than with using one client.

> If our people move over the campus with ~3.000 smartphones with actvated wifi, request numbers increase when they enter
> new wi-fi cells and trouble begins: 
> There is barely an auth ok or incorrect in the log but lots of discarding duplicates messages 
> and cpu load is going up to 120 and a higher number of messages like 
> Tue Feb 11 18:22:37 2014 : Error: rlm_eap: No EAP session matching the State variable.

  The EAP sessions are timing out.

> Tue Feb 11 09:26:50 2014 : Info: WARNING: Module rlm_preprocess became unblocked for request 241193

  That's just weird.  The preprocess module doesn't do much, so it
shouldn't block for any perod of time.

> and
> Tue Feb 11 09:26:51 2014 : Info: WARNING: Module rlm_eap became unblocked for request 241193

  Same here.  The EAP module does SSL, but that's fairly quick for new CPUs.

> We have a lot of NAS in our environment: there are over 2200 NAS in total in clients.conf, which are  350 heavily used WLAN access points (auth only, no acct)
> and switches which do a administrative login only every 5 min, and ~ 10 VPN controllers.

  That won't cause a problem.

> As having so many NAS, preprocess has to do a max of 2200 expansion like 
> Fri Feb  7 15:41:16 2014 : Debug: [preprocess]  expand: %{Client-IP-Address} -> x.x.x.x
> in order to determine the allowed client. That are ~26.400 checks for preprocess in one peap/mschap 
> request for example (~12 request-packtes x NAS).

  That will cause a problem.  The "preprocess" module is intended for
small sites.  If you're going to do 2200 expansions with it, you're
likely using it incorrectly.

  You should probably put these rules into a database, and do one SQL
query.  It will be MUCH faster.

  And why are you doing these expansions for every packet?  What is the
preprocess module doing?

  Odds are that you could do the same thing as one SQL query in the
post-auth section, or in the inner-tunnel.  That would speed up the
system a LOT.

> Is there some kind of "recommened maximum number of NAS" for one instance of freeradius?
> Here is our thread_pool and request config:
> max_request_time = 120

  That's useless.  Most NASes will give up after about 30s.  All you're
doing is wasting CPU time by setting this to 120.

> cleanup_delay = 5
> #256 x NAS (By the way: "This should be 256 multiplied by the number of clients.
> #  e.g. With 4 clients, this number should be 1024. " Is client in this contenxt supplicant or NAS?)

  It's the NAS.

  Please post a short description of what you're doing with the
preprocess module.  Doing 2200 %{Client-IP-Address} expansions is very,
very, wrong.

  Alan DeKok.
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list