Hello Yan,
when it happen, it's more ntlm_auth that take time to answer and behind
ntlm_auth it's the Active Directory that is not able to handle so many
requests.
Take a look at the ntlm_auth response graph.
The thing you can do is to enable nthash caching in PacketFence, in this
case pf will fetch the nthash key in the AD and push it in the cache.
With this solution there is no need to call ntlm_auth on each 802.1x
requests.
Regards
Fabrice
Le 2017-12-24 ?? 23:01, Yan a ??crit?0?2:
Hi users,
There's an availability concern need to confirm about PF Freeradius
module. Hope you can help.
We deployed PF v7.3 in centos 7 in our office. For the wireless
connection, we use 802.1x auth and configured PF as the aaa server and
AD as the actual authentication source.
Last week when we deployed it in one of our new office, both PF and AD
work well in the first.Then at about 11:30 there's a network
instability from the core switch and that might caused all device
clients disconnected from wireless ssid. When the network restored, it
seemed PF couldn't handle all the auth requests and kept responding
reject to all the requests.
As I checked the radius.log, I found it kept recording "*_No EAP
session matching state xxxxxx_*" and then "_*Too many open sessions.
Try increasing "max_sessions" in the EAP module configuration*_" errors.
Now our network team blamed it on our PF system since the wireless
became normal after they switched the aaa server to the old cisco acs.
I know the root cause is network instability but I don't know if PF
really had nothing to do with the issue, as I saw the errors below.
*Could you pls confirm what below errors means and whether it would
cause availability issue ?*
Dec 18 11:45:01 pf-wensi auth[591]: (300735) Login incorrect:
[sunnyli] (from client 172.26.2.251 port 0 cli f4:5c:89:c2:83:bb)
Dec 18 11:45:01 pf-wensi auth[591]: [mac:b4:0b:44:70:14:bb] Rejected
user: ziweezhang
Dec 18 11:45:01 pf-wensi auth[591]: rlm_sql (sql): Opening additional
connection (6131), 1 of 62 pending slots used
Dec 18 11:45:01 pf-wensi auth[591]: Need 1 more connections to reach
min connections (3)
Dec 18 11:45:01 pf-wensi auth[591]: (300731) Login incorrect:
[ziweezhang] (from client 172.26.2.251 port 0 cli b4:0b:44:70:14:bb)
_*Dec 18 11:45:01 pf-wensi auth[591]: rlm_eap (EAP): Too many open
sessions. Try increasing "max_sessions" in the EAP module configuration*_
Dec 18 11:45:00 pf-wensi auth[591]: [mac:f8:59:71:94:f7:dd] Rejected
user: garcyli
Dec 18 11:45:00 pf-wensi auth[591]: (300707) Login incorrect:
[shiyuzhu] (from client 172.26.2.251 port 0 cli 8c:85:90:63:b2:dd)
Dec 18 11:45:00 pf-wensi auth[591]: [mac:cc:b8:a8:5d:e7:dd] Rejected
user: xiabo
Dec 18 11:45:00 pf-wensi auth[591]: (300703) Login incorrect: [xiabo]
(from client 172.26.2.251 port 0 cli cc:b8:a8:5d:e7:dd)
Dec 18 11:45:00 pf-wensi auth[591]: [mac:dc:2b:2a:13:6b:aa] Rejected
user: siriliu
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Opening additional
connection (6130), 1 of 63 pending slots used
Dec 18 11:45:00 pf-wensi auth[591]: Need 2 more connections to reach
min connections (3)
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Opening additional
connection (6129), 1 of 64 pending slots used
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6126): Hit idle_timeout, was idle for 706 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6127): Hit idle_timeout, was idle for 711 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6125): Hit idle_timeout, was idle for 711 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6120): Hit idle_timeout, was idle for 713 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6092): Hit idle_timeout, was idle for 737 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6110): Hit idle_timeout, was idle for 738 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6123): Hit idle_timeout, was idle for 738 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6124): Hit idle_timeout, was idle for 739 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6128): Hit idle_timeout, was idle for 740 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection
(6095): Hit idle_timeout, was idle for 741 seconds
Dec 18 11:45:00 pf-wensi auth[591]: (300699) Login incorrect:
[siriliu] (from client 172.26.2.251 port 0 cli dc:2b:2a:13:6b:aa)
Dec 18 11:45:00 pf-wensi auth[591]: rlm_eap (EAP): Too many open
sessions. Try increasing "max_sessions" in the EAP module configuration
...
...
...
*_Dec 18 11:33:25 pf-wensi auth[591]: (280571) eap: ERROR: rlm_eap
(EAP): No EAP session matching state 0x481e9673481a8f7a_*
Dec 18 11:33:24 pf-wensi auth[591]: [mac:98:01:a7:00:96:ff] Rejected
user: skylv
Dec 18 11:33:24 pf-wensi auth[591]: (280566) eap: ERROR: rlm_eap
(EAP): No EAP session matching state 0x6a9c26bb6f9b3fab
Dec 18 11:33:24 pf-wensi auth[591]: (280566) Login incorrect (eap:
rlm_eap (EAP): No EAP session matching state 0x6a9c26bb6f9b3fab):
[skylv] (from client 172.26.2.251 port 0 cli 98:01:a7:00:96:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280566) eap: ERROR: rlm_eap
(EAP): No EAP session matching state 0x6a9c26bb6f9b3fab
Dec 18 11:33:24 pf-wensi auth[591]: [mac:dc:a9:03:91:cc:ff] Rejected
user: lilyliu
Dec 18 11:33:24 pf-wensi auth[591]: (280565) eap: ERROR: rlm_eap
(EAP): No EAP session matching state 0x883e7f4b8b3b6661
Dec 18 11:33:24 pf-wensi auth[591]: (280565) Login incorrect (eap:
rlm_eap (EAP): No EAP session matching state 0x883e7f4b8b3b6661):
[lilyliu] (from client 172.26.2.251 port 0 cli dc:a9:03:91:cc:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280565) eap: ERROR: rlm_eap
(EAP): No EAP session matching state 0x883e7f4b8b3b6661
Dec 18 11:33:24 pf-wensi auth[591]: [mac:f4:5c:89:96:ee:ff] Rejected
user: biubiuliu
Dec 18 11:33:24 pf-wensi auth[591]: (280562) eap: ERROR: rlm_eap
(EAP): No EAP session matching state 0x773b673f743e7e67
Dec 18 11:33:24 pf-wensi auth[591]: (280562) Login incorrect (eap:
rlm_eap (EAP): No EAP session matching state 0x773b673f743e7e67):
[biubiuliu] (from client 172.26.2.251 port 0 cli f4:5c:89:96:ee:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280562) eap: ERROR: rlm_eap
(EAP): No EAP session matching state 0x773b673f743e7e67
Dec 18 11:33:15 pf-wensi auth[591]: (280530) Login OK: [windge] (from
client 172.26.2.251 port 0 cli ac:bc:31:94:54:aa)
Dec 18 11:33:15 pf-wensi auth[591]: [mac:ac:bc:31:94:54:aa] Accepted
user: and returned VLAN
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users