Re: FreeRADIUS performance Issue
QASIM RAO wrote: > I am performing performance test on may RADIUS server and having a > problem in result... > > i am using java code for sending 100 concrent requests on my RADIUS > server in log i got some chunks taking so much time more than 3 seconds It's not a problem with FreeRADIUS. If you configure FreeRADIUS with only the "users" file, it can easily do 50K to 100K packets per second. > and also mysql is establishing too many connection arround 60 to 70 > connections... :( The problem is your database. Fix it. You probably don't have indexes, or something else is wrong. You've made FreeRADIUS depend on MySQL, and then made MySQL slow. So when FreeRADIUS can't do it's job, don't blame FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
On 24/07/12 14:10, alan buxey wrote: Hi, you could look at PGSQL optimization - ensure that the table has the right indexes and the table is in cache etc. Try this: convert your SQL users into a "users" text file, like so: usernameCleartext-Password := "password" ...and disable SQL, then re-run the test. I think it will perform a lot better. If so, then you know that the bottleneck is SQL, and that you should focus your efforts there. .the use 'fastusers' module instead. it'll scream along. if i dont get 5-figure auths from such a box i'd be disappointed. I thought the stock "files" module did the same thing now? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
On 24/07/12 13:57, Arran Cudbard-Bell wrote: 1000 auths/sec is quite a lot. It implies you need to perform 1000 SQL queries/sec (at LEAST). I'm not sure this is accurate given the number of failed requests, i'd investigate that then re-run the tests. Ah, I didn't spot the "failed" count. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
Hi, >I would need a sever able to manage a much greater amount of users ( > >5, up to 100). But for now I'm interested how to get the server >working well with ~(5<->10) users. for what its worth, we deal with around 8000 users concurrently on an 802.1X connection (so all the EAP overheads etc) ...and the servers see around 10 auths/s soscaling this up, 100 auth/s would map to around 80k users... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
Hi, you could look at PGSQL optimization - ensure that the table has the right indexes and the table is in cache etc. > Try this: convert your SQL users into a "users" text file, like so: > > username Cleartext-Password := "password" > > ...and disable SQL, then re-run the test. I think it will perform a > lot better. If so, then you know that the bottleneck is SQL, and > that you should focus your efforts there. .the use 'fastusers' module instead. it'll scream along. if i dont get 5-figure auths from such a box i'd be disappointed. > >What are the best recommended improvements that should be done? Would > >JRadius module help on improving performance? (I'm not familiar about > >JRadius). tweak your PGSQL, ensure you arent running any modules you dont need - eg the 'unix' module which will query /etc/passwd for every single request, ensure that no logging is blocking, ensure that accounting is buffered and not locking/blocking a thread, basically get the system in a working state and then tweak/optimise. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
On Tue, Jul 24, 2012 at 01:49:27PM +0100, Phil Mayers wrote: > On 24/07/12 13:26, Andrei Petru Mura wrote: >> radperf -s -f ../users.csv -p 800 -a pap 10.3.1.1 auth radiussomething ... >> < 0.1s : 3758 >> < s: 5897 >> < 10s : 344 ... >> I would need a sever able to manage a much >> greater amount of users ( > 5, up to >> 100). > > The number of users isn't too important, I > suspect. Number of rows shouldn't matter much (O(log N)) for database. It may matter for radperf, but you don't need to have _all_ of your users in users.csv for this. > Try this: convert your SQL users into a "users" > text file, like so: > > username Cleartext-Password := "password" > > ...and disable SQL, then re-run the test. Exactly. I would have suggested to test without SQL overhead myself. Then you can compare the result to PostgreSQL (and probably, to other DBs, like MySQL, Oracle/DB2, bdb/gdbm etc if you like). -- With best regards, xrgtn signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
On 24 Jul 2012, at 13:49, Phil Mayers wrote: > On 24/07/12 13:26, Andrei Petru Mura wrote: >> I'm running FreeRADIUS on a PC with a dual CPU of 2 GHz and 2 GB of RAM. >> It is working with PostgreSQL database. >> When I perform tests with radperf, running : >> >> radperf -s -f ../users.csv -p 800 -a pap 10.3.1.1 auth radiussomething >> >> where users.csv file contains 1 user names with password, I get this >> output: >> >> Total succeeded : 3811 >> Total failed : 6189 >> Total no reply: 0 >> Total time (s): 10.588 >> Packets/s : 944 >> Response times: >> < 10 usec : 0 >> < 100 usec : 0 >> < msec : 0 >> < 10 msec : 1 >> < 0.1s : 3758 >> < s: 5897 >> < 10s : 344 >> < 100s : 0 >> (the result is a good one taking in account the packets amount processed >> per second - related to more tests that I did). >> I would need a sever able to manage a much greater amount of users ( > >> 5, up to 100). But for now I'm interested how to get the server >> working well with ~(5<->10) users. > > The number of users isn't too important, I suspect. > > What matters is the authentication rate (number of auths/sec) and the > accounting rate (acct/sec). > > You also need to ensure your SQL database can reply sufficiently quickly. > This might depend on the number of users, since SQL query performance is a > complex mixture of table size, indexing and load. > > 1000 auths/sec is quite a lot. It implies you need to perform 1000 SQL > queries/sec (at LEAST). I'm not sure this is accurate given the number of failed requests, i'd investigate that then re-run the tests. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS performance information (tuning, benchmark)
On 24/07/12 13:26, Andrei Petru Mura wrote: I'm running FreeRADIUS on a PC with a dual CPU of 2 GHz and 2 GB of RAM. It is working with PostgreSQL database. When I perform tests with radperf, running : radperf -s -f ../users.csv -p 800 -a pap 10.3.1.1 auth radiussomething where users.csv file contains 1 user names with password, I get this output: Total succeeded : 3811 Total failed : 6189 Total no reply: 0 Total time (s): 10.588 Packets/s : 944 Response times: < 10 usec : 0 < 100 usec : 0 < msec : 0 < 10 msec : 1 < 0.1s : 3758 < s: 5897 < 10s : 344 < 100s : 0 (the result is a good one taking in account the packets amount processed per second - related to more tests that I did). I would need a sever able to manage a much greater amount of users ( > 5, up to 100). But for now I'm interested how to get the server working well with ~(5<->10) users. The number of users isn't too important, I suspect. What matters is the authentication rate (number of auths/sec) and the accounting rate (acct/sec). You also need to ensure your SQL database can reply sufficiently quickly. This might depend on the number of users, since SQL query performance is a complex mixture of table size, indexing and load. 1000 auths/sec is quite a lot. It implies you need to perform 1000 SQL queries/sec (at LEAST). Try this: convert your SQL users into a "users" text file, like so: usernameCleartext-Password := "password" ...and disable SQL, then re-run the test. I think it will perform a lot better. If so, then you know that the bottleneck is SQL, and that you should focus your efforts there. What configuration do I need for this (I mean hardware configuration)? You should really have >1 server, for resilience if nothing else. If you are using SQL you will need fast disks, with a big cache. What are the best recommended improvements that should be done? Would JRadius module help on improving performance? (I'm not familiar about JRadius). I seriously doubt it. Why do you think JRadius would help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance problem
Giuseppe Marocchio wrote: > i have inherited the administration of a radius server, that > authenticate 900 PPPoE user on mikrotik box. > > i've noticed that there is some performance problem, mikrotik box show > that "last request RTT" in some cases is up to 1000ms, there is some > "resend" request and also some "timeouts", In order to mitigate the > problem i've disabled the interim update, and the timeouts are > drastically reduced. > But exists. A 386 should handle 900 users without a problem. > i' use mysql back-end, i've checked if there are slow queries but file > is empty. ( of course is enabled... ) Performance issues are almost always the DB. > the server is a dual core Xeon 3.0Ghz with 1 Gb of ram. > The SO is debian Linux stable, freeradius is 2.1.10 installed by > debian package. So it's not the RADIUS server which is the problem. That amount of CPU power is more than enough. > Any ideas? Fix the database. If you don't think it's the DB, configure a test server on the same machine which doesn't use the DB. It will handle 2000+ packets per second. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Performance
There is a tool to test the maximum RADIUS requests per second your setup can handle. As for the max number of clients / NAS, that will be determined by the hardware of the NAS. As for what type of NAS ... do you really expect us to do your shopping for you? By bandwidth, I assume you mean RADIUS bandwidth. That will depend on the type of authentication and NAS used. But for 300 clients almost any user class broadband connection will suffice (in my opinion, others may know better) Please, if there is a language barrier here that is stopping you from posting sensible questions and supporting information, at least seek out an online translator so we may rake through broken English. Very few of us have time to attempt to decode your messages. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of sekchel lee Sent: Monday, September 19, 2011 9:55 AM To: freeradius-users Subject: Freeradius Performance Freeradius Performance My computer Intel(R) Pentium(R) Dual CPU E2220 @ 2.40GHz RAM 2GB CentOS 5.5 NAS Client pptp and openvpn each NAS user 100 ~ 300 How many NAS Client ? The ? NAS How much bandwidth? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance testing with seagull
Vladimir Romanov wrote: > Hi All! > I want test freeradius+mysql accounting interface performance with > seagull. My problem - I can't implement valid signature. I always get ... > Received Accounting-Request packet from 10.2.170.14 with invalid > signature! (Shared secret is incorrect.) Dropping packet without > response. > I try next scenario > . > Ask the Seagull people. FreeRADIUS implements the RFCs, and is inter-operable with every other RADIUS implementation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance settings or bug?
Are you using "wtmp" i.e. "radlast". Don't. It's slow.
Here are some more snippets related to wtmp (from what I can tell):
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
I'm guessing it won't harm anything to remove the radwtmp line from the
unix configuration. Correct? I suppose its also ok to remove unix and
radutmp from the accounting section?
If you're not using those, do indeed remove them. utmp/wtmp is slow to
update, especially if the files are large.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance settings or bug?
Phil Mayers wrote:
Jeremiah Millay wrote:
Hi,
I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd
6.3 environment. I see a lot of these in the radius log:
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished
request 1267
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 209 due to unfinished
request 1268
as well as the cputime constantly increasing the longer I leave
radiusd running:
Well yes; the process runs, and accumulates CPU time.
Sorry, that was dumb of me.
What OS is this?
FreeBSD 6.3-p2 ( I applied a patch to p1 which fixed a bug in
libthread which seemed to help out cpu utilization significantly). Still
seeing these duplicate request errors however.
Looking at older messages posted to the list, I see Alan suggests
that the duplicate requests are related to radiusd not replying
quickly enough due to either having hostname lookups enabled or due
to sql backend slowness. I'm not using sql in my configuration and do
not have hostname lookups enabled.
Are you using "wtmp" i.e. "radlast". Don't. It's slow.
Here are some more snippets related to wtmp (from what I can tell):
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
I'm guessing it won't harm anything to remove the radwtmp line from the
unix configuration. Correct? I suppose its also ok to remove unix and
radutmp from the accounting section?
Thanks so much for your suggestions. I think you are on to something!
Let me know if you want me to send you the whole config... (I'll need to
clean it up first).
Jeremiah
Here are some configuration snippets that may be relevant:
cleanup_delay = 2
max_requests = 10240
hostname_lookups = no
thread pool {
start_servers = 20
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
That looks OK as a first cut. What's the full config?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance settings or bug?
Jeremiah Millay wrote:
> I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd 6.3
> environment. I see a lot of these in the radius log:
>
> Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
> client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished request
> 1267
Find out what's blocking the server.
> Here are some configuration snippets that may be relevant:
>
> cleanup_delay = 2
> max_requests = 10240
That's a very low cleanup_delay, but it shouldn't cause this problem.
> hostname_lookups = no
> thread pool {
>start_servers = 20
>max_servers = 32
>min_spare_servers = 3
>max_spare_servers = 10
>max_requests_per_server = 0
> }
>
> Any help or suggestions would be greatly appreciated.
Upgrade to 2.0.3. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance settings or bug?
Jeremiah Millay wrote:
Hi,
I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd 6.3
environment. I see a lot of these in the radius log:
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished request
1267
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 209 due to unfinished request
1268
as well as the cputime constantly increasing the longer I leave radiusd
running:
Well yes; the process runs, and accumulates CPU time.
What OS is this?
Looking at older messages posted to the list, I see Alan suggests that
the duplicate requests are related to radiusd not replying quickly
enough due to either having hostname lookups enabled or due to sql
backend slowness. I'm not using sql in my configuration and do not have
hostname lookups enabled.
Are you using "wtmp" i.e. "radlast". Don't. It's slow.
Here are some configuration snippets that may be relevant:
cleanup_delay = 2
max_requests = 10240
hostname_lookups = no
thread pool {
start_servers = 20
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
That looks OK as a first cut. What's the full config?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance , requests per second
deepak kumar wrote: > I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database. > My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk > is 80 GB. > On this configuration how many requests , freeraradius can handle per > second. A lot. If you have a million users, the exact number might matter. If you have less than a million users, I wouldn't' worry about performance. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance , requests per second
Hi, > I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database. > My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk is 80 > GB. > On this configuration how many requests , freeraradius can handle per > second. > Is there any tool which can test the performance of freeradius. > Can you please tell me the average number of authentication requests > that freeradius can process per second. doc/performance-testing alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius performance requirements
O/H Arnnei Speiser έγραψε:
> Hi Guys,
> Any recommendations on the Server minimum configuration - memory, cpu
> etc for using FR with 10k, 20k, 50k users ?
Moved to freeradius-users!!
The number of users is not the major factor. Rather the number of
requests/sec.
Where are the users stored (plain text, ldap, sql)?
Do you perform heavy accounting? To sql?
How many logins do you expect per second,hour,day?
Will you use EAP? If yes will you use one of the SSL versions
(TLS,PEAP,TTLS)?
In general freeradius should not have any problem as long as you set the
thread and/or ldap/sql connection pool parameters large enough for your
specific setup.
The most important thing to check is your authentication and accounting
database not radius itself. Any modern server should be more than
adequate for freeradius.
So check the directives in thread pool { }, the num_sql_socks in
sql.conf and ldap_connections_number in ldap { } (if you are using ldap).
> What would be the main configuration parameters that we have to
> select/set in order to handle a high volume of authentication requests.
> Thanks,
> Arnnei
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
--
Kostas Kalevras - Network Operations Center
National Technical University of Athens
http://kkalev.wordpress.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance x336
JF Suret <[EMAIL PROTECTED]> wrote: > It's just to have an idea of how many request an server can handle, > I'll need a few request/seconds and I think that a x336 will be far > far faster than required but it's just to confirm it ... At a few requests/s, almost any machine will be fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance & cpu usage
Fechete Raul <[EMAIL PROTECTED]> wrote: > thank you for your answer. that might just be it! :-) i have a test > client also programmed by a colleague, that starts a number of threads (for > each authorization one) that in the beginning wait for a semaphore. after > all threads are ready, the semapfore is switched to green and all > authorization requests are sent in a burst. maybe it needs some tuning.. For non-EAP test, radclient works. > anyway, do you know any radius eap-sim test clients that work for sure? radeapclient? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance & cpu usage
Fechete Raul <[EMAIL PROTECTED]> wrote: > what bothers me is that the > freeradius is handling such a small amount of authorizations, and keeping > the processor usage below 10%. (?!) why doesn't it take 90% and do in the > mean time more work? It's limited by how fast the packets are being sent from the client, among other things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance & cpu usage
Title: Re: freeradius performance & cpu usage Nicolas Baradakis wrote: >> what bothers me is that the freeradius is handling such a small >> amount of authorizations, and keeping the processor usage below >> 10%. (?!) why doesn't it take 90% and do in the mean time more work? > Perhaps the client doesn't send enough requests to make the server > busy. How do you make your tests? thank you for your answer. that might just be it! :-) i have a test client also programmed by a colleague, that starts a number of threads (for each authorization one) that in the beginning wait for a semaphore. after all threads are ready, the semapfore is switched to green and all authorization requests are sent in a burst. maybe it needs some tuning.. anyway, do you know any radius eap-sim test clients that work for sure? regards, r. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance & cpu usage
Fechete Raul wrote: > what bothers me is that the freeradius is handling such a small > amount of authorizations, and keeping the processor usage below > 10%. (?!) why doesn't it take 90% and do in the mean time more work? Perhaps the client doesn't send enough requests to make the server busy. How do you make your tests? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Performance
On Wednesday 30 March 2005 14:40, DESETech - German P. Santillan wrote: > Hi, how many concurrent petitions (AuthRequest) can handle FreeRADIUS? This > number can be changed? Depends of hardware? Its depends completely on hardware, thread settings and operating system settings, however I expect a fully tuned FR server on any type of decent (current) hardware without the extra overhead of SQL etc would handle a few hundred thousand Auth requests per second withtout any trouble. I personally have never managed to put FreeRADIUS itself under load.. (Except when I ran it on a 486) I have however managed to blow up a number of backend database servers with load generated BY FreeRADIUS! cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
