Is both, to me. Block the worst clients as they are easy to find. But also use exclusion with very short timer to slow the effects way down while not penalizing good clients with odd auth behavior. :)
Thanks for sharing all this, Jake! Lee Badman Network Architect/Wireless TME Syracuse University 315.443.3003 -----Original Message----- From: Jake Snyder [jsnyde...@gmail.com] Received: Wednesday, 09 Mar 2016, 17:35 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Subject: Re: [WIRELESS-LAN] Recent Radius Meltdowns I don't necessarily agree with the doc in all aspects. My takeaway is that some failing clients can put a huge load on the RADIUS environment. I've seen some clients sending 20 requests per second. I think it's better to identify a client doing that through logging and block them individually rather than risking the exclusion. Thanks Jake Snyder Sent from my iPhone On Mar 9, 2016, at 1:53 PM, Lee H Badman <lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote: I have to disagree with 120 second client exclusion timer- that in itself can be devastating. I recommend 5 or 10 seconds. Lee Badman Network Architect/Wireless TME Syracuse University 315.443.3003 -----Original Message----- From: Jake Snyder [jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>] Received: Wednesday, 09 Mar 2016, 16:05 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>] Subject: [WIRELESS-LAN] Recent Radius Meltdowns Just wanted to throw this out to the educause community to see if others are seeing this. Although this is not ultimately a problem with Higher Ed, the large scale RADIUS deployments in higher ed resulting in more impact Several weeks ago we had a higher ed customer who's Radius environment started periodically melting down. The customer was running Cisco Infrastructure and ACS 5.x on the back end. In terms of changes, there were no recent changes to either the wireless network, or RADIUS environment. The only recent change was patches applied to the Windows environment. Ultimately, the cause was found to be the AD environment was taking an excessive time responding to NTLM authentications. There was no ultimate fix found, but troubleshooting led us to the changing the MaxConcurrentAPI on the windows servers. which ultimately helped enough to eliminate the problem from a daily occurrence. About a week later, this same customer reported to me that visiting another university campus that their RADIUS environment was also experiencing these issues. Fast forward a couple weeks, I had a public utility customer seeing this same issue. Suddenly flags went off that this is wider spread that just a couple Higher Ed customers. Now i'm sitting at #ATM16 and talking with other Higher Ed engineer and a large retail customer, it MAY be impacting non-cisco infrastructure as well. My assumption is anything performing Below are some of the links that talk about this change to the MaxConcurentAPI. I believe these two customers made changes anywhere from 2 to 20. I know some of these customers are on this educause I'm not advocating a specific value, i assume that different environments will need different values. https://support.microsoft.com/en-us/kb/109626 https://blogs.technet.microsoft.com/ad/2008/09/23/updated-ntlm-and-maxconcurrentapi-concerns/ Hopefully this helps anyone who has started to see these issues in the last few weeks. Also, if you're having this, please reply and let the community know infrastructure, radius and possibly AD environment versions. Also, for the Cisco folks, here's a great doc that you should read. http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
