Antw: Re: How many NAS kann radius take?
Anja Ruckdaeschel
Anja.Ruckdaeschel at rz.uni-regensburg.de
Thu Feb 13 18:03:17 CET 2014
Following multiple tracks to fi xthe problem ...
We are not using samba or pam or ntlm_auth. we have eDirectory ldap.
We have no load balancers in the game.
We use 2 to 3 different ldap serves for one radius servers with balancing over
a DNS round robin, no load-balance or failover over radius config.
So the ldap guys can change the round robin to their needs when doing updates
etc. without editing radius config files.
Tests with exact one ldap server showed no differences. Ldap response times
went e.g. from 0.1 s to 0.2 s when the problem appears, but then we do a lot
more ldap queries, too.
So I think, that´s quite normal.?
Here are our authentication methods:
PAP with or without ldap for switches, routers and dial-in servers (cisco, hp,
max ascend) and for Juniper VPN controllers (only those devices do accounting)
CHAP PAP with or without ldap for switches and routers (cisco, hp)
For Wi-Fi: PEAP/MSCHAPv2 and EAP/TTLS-PAP with 350 lancom aps and 1 Colubris
Controller with does 2 different SSIDs with ldap for our users at home and
those proxied in via the eduroam-project,
for which we are service provider and identity provider
90% of our radius requests are coming in over Wi-Fi.
ldap, sql and so on are only called in inner-tunnel (3 Packets)
I think we have quite a default config, but with a few modules commented out
(e.g. unix, radutmp, ... we don´t need) and a few policies in place to reduce
unnecessary stuff like querying ldap or sql
in default, when its peap.
Short eap timeouts on client devices and sleep mode increased our radius
requests for the last two years. There are single users doing up to ~ 1500
login requests per day from one device.
But there is nothing we can do about that :-(
"Some NASes e.g. Cisco lightweight wireless use a single UDP source port, so
at most 256 requests can be in-flight at any given time" could be our problem
to because our lancom access points do the same.
Does this mean that when one NAS is sending more than 256 Access-Requests from
one port freeradius cannot process one more at that time from this NAS?
Thanks Anja
>>> Phil Mayers <p.mayers at imperial.ac.uk> 13.02.2014 12:03 >>>
On 13/02/14 10:14, Michael Schwartzkopff wrote:
>> If our people move over the campus with ~3.000 smartphones with actvated
>> wifi, request numbers increase when they enter new wi-fi cells and trouble
>> begins:
>> There is barely an auth ok or incorrect in the log but lots of discarding
>> duplicates messages and cpu load is going up to 120 and a higher number of
>> messages like
Yes, lots of people have run into this in the last year or so.
Are you using Samba + ntlm_auth?
The underlying reasons are uncertain, and I'm not sure anyone has a
complete understanding, but relevant issues are:
1. Samba sites:
* Older versions of Samba with scale limits
* AD RPC pipe is, by design, synchronous and head-of-line blocking,
so 1 slow/failed auth will block everyone else
* Slow AD controllers can trigger the above too
4. Very short EAP timeouts on newer client devices
5. Some NASes e.g. Cisco lightweight wireless use a single UDP source
port, so at most 256 requests can be in-flight at any given time
6. Newer client devices staying on the wireless in sleep mode
7. Lack of fast roaming
8. Exhaustion of the thread pool in FreeRADIUS when
samba/ldap/whatever slows down
...and more.
If you can give a bit more detail about how you are doing your
authentication, I can suggest some pointers. There's a bunch of
discussion on the list around October time.
Probably most relevant, if you are using Samba:
1. Upgrade to 2.2.3, which has a configurable, sensible timeout for
ntlm_auth
2. Upgrade to Samba 3.6.x and set "winbind max domain connections = 12"
3. Ensure your AD controllers are responding in a timely fashion by
starting a long-running tcpdump ring-buffer capture and post-processing
it with tshark to extract MS-RPC PDU IDs & response times. I can give
more info on this if you need.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list