On Thu, Mar 10, 2016 at 09:14:02AM -0500, Earl Barfield wrote: > >Just wanted to throw this out to the educause community to see if others > >are seeing this. Although this is not ultimately a problem with Higher Ed, > >the large scale RADIUS deployments in higher ed resulting in more impact > > If anything (radius server, users, Active Directory, etc) slows down > the auth process, then you're going to have more auth sessions in > progress simultaneously.
This has been a well-known issue in the FreeRADIUS world for a long time now. Anything that slows down the NTLM communication between the RADIUS server and the AD server will eventually lead to problems. It just seems to crop up more in certain circumstances. With FreeRADIUS, part of the problem seemed to be using Samba's ntlm_auth (which involves an exec) so I did quite a bit of hacking a year ago to use a library call and avoid that, which does seems to help. As does faster hardware for the RADIUS servers. Cisco haven't helped themselves for a long time by using a single UDP source port (and therefore only 256 radius IDs) per controller. Using a different source port per access point would have a decent solution IMO, or even just random ephemeral ports, but they've gone for some half-way solution that uses a few more source ports in 8.1-something. Better than before anyway. The problem exacerbates itself because when the WLC doesn't get a response from a RADIUS server after a while, it will drop that server and move to the next. Then all 250 or so authentications in-flight (and probably half completed) will get chopped off and have to start again on the next server. Each hour when all the students moved between lectures we'd see 10 minutes of WLCs jumping to a different RADIUS server every minute or so. This makes the higher-ed situation fairly unique and not like business environments, where people don't tend to move around in very large groups all at the same time. I started to collect mailing list posts on a blog post to try and collect information together if anyone's interested in reading lots of different views on it! http://q.asd.me.uk/0 It's one of those things that if you're not looking for it, though, you might not easily notice it, but just have complaints about bad wireless connectivity at certain times of the day. It becomes easy to see in the WLC SNMP RADIUS server not responding traps, however. Cheers, Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.