FreeRadius Re-Authentication Latency

Alan DeKok aland at deployingradius.com
Fri Feb 16 17:40:01 CET 2018 

On Feb 16, 2018, at 9:56 AM, Smith, James <james.smith at saabsensis.com> wrote:
> I'm currently experiencing a latency issue with Siemens base stations and CPEs re-authenticating to our FreeRadius server running version 3.0.4. (I understand this version is a little old and should be updated. We will look into this in the new future) 

  There are lots of fixes... you should be able to upgrade to 3.0.16 without changing anything in your existing configuration.

> Attached is my log file after running FreeRadius in debug mode. CPE9 at siemens.com is the specific host I'd like to look at but all of our CPEs are experiencing the same issue. We use EAP-TTLS for authentication and it looks like it takes many sessions (167 from what I can tell by looking at the Access-Request ID) to actually complete the re-authentication process. The amount of sessions may vary for each CPE as they can take 2-10 minutes to actually authenticate. 

  Try using eapol_test for testing.  See http://deployingradius.com/ for instructions.

  If eapol_test works in ~1/10s (and it will), then the problem is elsewhere in the network.

  But a cheap AP and configure it to do RADIUS.  If users can authenticate to those systems in 1/10s (and I suspect they will), then the problem is definitely not FreeRADIUS.

  If that system also doesn't work, then the problem may be radio interference.  i.e. not the CPE and not FreeRADIUS.

  But if it does work, then your current equipment is garbage, and should be replaced with hardware that works.

> It starts on line 3546 and finally authenticates on line 18927. 

  It's possible to edit the debug output to show relevant information, instead of 20K lines of stuff..

> CPE (Suplicant) ----> NAS-Identifier = "BS" (Authenticator) ------> Radius Server 
> 
> Please let me know if you have any questions and/or if you think I have to tweak my configuration somewhere to speed this up. 

  There is nothing in the FreeRADIUS configuration which says "slow down authentication".

  All authentication attempts and retries are initiated by the end users system, and/or the CPE.  If FreeRADIUS responses to the packets quickly, then the problem isn't FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list