Matthew, That's for the great info on FreeRadius. I don't think this is the case in what I'm seeing that, which is specifically that Windows AD is not keeping up with NTLM.
These are customers with environments that are relatively stable and have been performing well for extended periods of time with similar user counts. These are also well below the 256 radius session limit. The MaxConcurrentAPI raises the number of worker threads in AD so that it NTLM on the DC can keep up with the incoming requests. Why did the performance of NTLM change recently? I have no idea, but it appears it has. Thanks Jake Snyder Sent from my iPhone > On Mar 10, 2016, at 7:50 AM, Matthew Newton <m...@leicester.ac.uk> wrote: > > On Thu, Mar 10, 2016 at 09:14:02AM -0500, Earl Barfield wrote: >>> Just wanted to throw this out to the educause community to see if others >>> are seeing this. Although this is not ultimately a problem with Higher Ed, >>> the large scale RADIUS deployments in higher ed resulting in more impact >> >> If anything (radius server, users, Active Directory, etc) slows down >> the auth process, then you're going to have more auth sessions in >> progress simultaneously. > > This has been a well-known issue in the FreeRADIUS world for a > long time now. Anything that slows down the NTLM communication > between the RADIUS server and the AD server will eventually lead > to problems. It just seems to crop up more in certain > circumstances. With FreeRADIUS, part of the problem seemed to be > using Samba's ntlm_auth (which involves an exec) so I did quite a > bit of hacking a year ago to use a library call and avoid that, > which does seems to help. As does faster hardware for the RADIUS > servers. > > Cisco haven't helped themselves for a long time by using a single > UDP source port (and therefore only 256 radius IDs) per > controller. Using a different source port per access point would > have a decent solution IMO, or even just random ephemeral ports, > but they've gone for some half-way solution that uses a few more > source ports in 8.1-something. Better than before anyway. > > The problem exacerbates itself because when the WLC doesn't get a > response from a RADIUS server after a while, it will drop that > server and move to the next. Then all 250 or so authentications > in-flight (and probably half completed) will get chopped off and > have to start again on the next server. > > Each hour when all the students moved between lectures we'd see 10 > minutes of WLCs jumping to a different RADIUS server every minute > or so. This makes the higher-ed situation fairly unique and not > like business environments, where people don't tend to move around > in very large groups all at the same time. > > I started to collect mailing list posts on a blog post to try and > collect information together if anyone's interested in reading > lots of different views on it! http://q.asd.me.uk/0 > > It's one of those things that if you're not looking for it, > though, you might not easily notice it, but just have complaints > about bad wireless connectivity at certain times of the day. It > becomes easy to see in the WLC SNMP RADIUS server not responding > traps, however. > > Cheers, > > Matthew > > > -- > Matthew Newton, Ph.D. <m...@le.ac.uk> > > Systems Specialist, Infrastructure Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
