freeradius -> AD performance

[Alan DeKok]

On Dec 20, 2019, at 1:28 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> 
> I would like to replace the windows NPS service with freeradius.
> Freeradius provides a lot better visibility and control than the Microsoft
> NPS service.  However, doing some very rudimentary performance analysis and
> my freeradius server is ~4-5times slower than the Microsoft NPS service.

  No.

> My wireless controllers provide a "test your radius server" command and it
> outputs the response time.  I am testing using a known bad username and
> password against both radius servers.  According to the wireless controller
> the MS NPS returns a result in ~3ms, while Freeradius returns a response in
> ~1000ms.

  See radiusd.conf, and the "reject_delay" parameter.

  The server delays rejects in order to prevent brute-force attacks.

  This isn't about the server being slow.  It's about the sever being *secure*.

>  The NPS server I am benchmarking is in production and under load
> while the freeradius server I am testing is not.
> 
> Below is the output of freeradius -X as well as an example query.  If
> anyone sees anything that might explain the ~300% performance difference,
> I'd appreciate it.

  1000 / 3 = 300, or 30,000%. :)

> security {
>  max_attributes = 200
>  reject_delay = 1.000000

  Read the comments in the default configuration around "reject_delay".

> (0) Login incorrect: [foo/<via Auth-Type = mschap>] (from client aruba port
> 0 cli 0.0.0.0)
> (0) Delaying response for 1.000000 seconds

  See?  The debug output tells you *exactly* what it's doing.  Please read it.

  You can set "reject_delay = 0", but it's not generally recommended.

  The wireless control should also use Status-Server for "test your RADIUS server" checks:

https://tools.ietf.org/html/rfc5997

  I published that standard a decade ago.  It's high time vendors read it, and implemented it.

  Alan DeKok.