recommendations for max_servers

Alan DeKok aland at
Wed Sep 24 23:45:49 CEST 2014

John Douglass wrote:
> I agree, EAP-PEAP-MSCHAPv2 isn't great. But for 100% of our
> WPA-Enterprise clients, they all support EAP-PEAP-MSCHAPv2 natively.
> With central authentication (passwords) for 30k users, having an
> additional password or an additional password store is not ideal.

  Having a password store that *works* is useful.

> If we agree that AD (EAP-PEAP-MSCHAPv2) is far from ideal, what other
> EAP types (outside of EAP-PEAP-TLS) do you recommend for end user
> authentication that is supported by native Windows, iOS, Android, and
> OSX clients?

  The issue isn't really the EAP type.  It's that Active Directory is
being mean to you.

  Most modern systems support TTLS.  That will work better.  But XP
doesn't support it.

> I imagine if there were a better option with similar properties and ties
> to central authentication, then we would all flock to it.

  If there was a system to pull passwords out of Active Directory, you
could set up a "cron" job once a day to do that.  Then for
authentication, do:

	if (ldap says password was reset today) {
		do ntlm_auth
	else {
		use the cached passwords

  For the few users who change their passwords, ntlm_auth is fine.  For
everyone else, they use a real database.  It would be MUCH faster, and a
LOT more stable than native Active Directory.

  Alan DeKok.

More information about the Freeradius-Users mailing list