FreeRadius Re-Authentication Latency
Smith, James
james.smith at saabsensis.com
Wed Feb 21 21:08:03 CET 2018
Okay thank you for the advice Alan.
I'll give eapol_test a try to see if that will improve performance.
Thanks,
James
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+james.smith=saabsensis.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, February 16, 2018 11:43 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: FreeRadius Re-Authentication Latency
On Feb 16, 2018, at 9:56 AM, Smith, James <james.smith at saabsensis.com> wrote:
> I'm currently experiencing a latency issue with Siemens base stations and CPEs re-authenticating to our FreeRadius server running version 3.0.4. (I understand this version is a little old and should be updated. We will look into this in the new future)
There are lots of fixes... you should be able to upgrade to 3.0.16 without changing anything in your existing configuration.
> Attached is my log file after running FreeRadius in debug mode. CPE9 at siemens.com is the specific host I'd like to look at but all of our CPEs are experiencing the same issue. We use EAP-TTLS for authentication and it looks like it takes many sessions (167 from what I can tell by looking at the Access-Request ID) to actually complete the re-authentication process. The amount of sessions may vary for each CPE as they can take 2-10 minutes to actually authenticate.
Try using eapol_test for testing. See http://deployingradius.com/ for instructions.
If eapol_test works in ~1/10s (and it will), then the problem is elsewhere in the network.
But a cheap AP and configure it to do RADIUS. If users can authenticate to those systems in 1/10s (and I suspect they will), then the problem is definitely not FreeRADIUS.
If that system also doesn't work, then the problem may be radio interference. i.e. not the CPE and not FreeRADIUS.
But if it does work, then your current equipment is garbage, and should be replaced with hardware that works.
> It starts on line 3546 and finally authenticates on line 18927.
It's possible to edit the debug output to show relevant information, instead of 20K lines of stuff..
> CPE (Suplicant) ----> NAS-Identifier = "BS" (Authenticator) ------> Radius Server
>
> Please let me know if you have any questions and/or if you think I have to tweak my configuration somewhere to speed this up.
There is nothing in the FreeRADIUS configuration which says "slow down authentication".
All authentication attempts and retries are initiated by the end users system, and/or the CPE. If FreeRADIUS responses to the packets quickly, then the problem isn't FreeRADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
-
More information about the Freeradius-Users
mailing list