recommendations for max_servers

John Douglass john.douglass at
Wed Sep 24 20:51:05 CEST 2014


As Alan said re: AD authentication:
>    Yes.  Your ntlm_auth process is taking too long, and is destroying
> FreeRADIUS.  I can't be any clearer about that.
>    No amount of poking FreeRADIUS will make ntlm_auth run faster.  And
> making ntlm_auth run faster is the ONLY solution to the problem.
>    I've said it before, and I'll say it again.  Using Active Directory is
> a terrible decision for almost everyone.  It's slow, awkward, unstable, etc.
>    FreeRADIUS can do 50K+ authentications per second from the "users"
> file.  So there is no way the problem is caused by FreeRADIUS.
I agree, EAP-PEAP-MSCHAPv2 isn't great. But for 100% of our 
WPA-Enterprise clients, they all support EAP-PEAP-MSCHAPv2 natively. 
With central authentication (passwords) for 30k users, having an 
additional password or an additional password store is not ideal.

We do not want to have to go to digital certificates just yet as there 
is a good bit of support overhead and management we just cannot provide 
at this time.

If we agree that AD (EAP-PEAP-MSCHAPv2) is far from ideal, what other 
EAP types (outside of EAP-PEAP-TLS) do you recommend for end user 
authentication that is supported by native Windows, iOS, Android, and 
OSX clients?

I imagine if there were a better option with similar properties and ties 
to central authentication, then we would all flock to it.

- John Douglass, Sr. Systems Engineer

More information about the Freeradius-Users mailing list