If AD is not keeping up with the NTLM requests, giving the DCs more NTLM worker threads can help it keep up with higher loads.
Working with TAC we found specifically in the ACS logs that it was waiting for Windows to respond. As far as number of devices, they weren't showing increases over earlier in the week or previous weeks. Thanks Jake Snyder Sent from my iPhone > On Mar 10, 2016, at 12:21 PM, Matthew Newton <m...@leicester.ac.uk> wrote: > > Hi, > >> On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote: >> That's for the great info on FreeRadius. I don't think this is >> the case in what I'm seeing that, which is specifically that >> Windows AD is not keeping up with NTLM. > > OK, that's interesting. I think the issue that others have seen on > this would look like that - and certainly the symptoms sound the > same as you described - so I'm wondering how you came to the > conclusion that it's AD itself rather than something between AD > and ACS. > > However, I'm not at all familiar with ACS - I guess it sits on a > member server and probably calls LsaLogonUser directly - so there > is the communication between the member server and the DC, though > I guess that /should/ be fairly slick in theory... > >> These are customers with environments that are relatively stable >> and have been performing well for extended periods of time with >> similar user counts. These are also well below the 256 radius >> session limit. > > I'd throw in the consideration of student numbers as well. We > always hit our peak number of wireless clients in February/March > each year, so this is the time problems often show up. Why this > time of year I have no idea! Probably all the new Christmas > presents being connected. :) > >> The MaxConcurrentAPI raises the number of worker threads in AD >> so that it NTLM on the DC can keep up with the incoming >> requests. Why did the performance of NTLM change recently? I >> have no idea, but it appears it has. > > I believe MaxConcurrentAPI helped some people[0] who were having > problems with the FreeRADIUS/Samba setup as well, so again I'm not > entirely sure it's a pointer to AD having necessarily changed. > > Maybe reviewing all Windows patches applied to the DCs and ACS > servers in the last 3 months and see if anything seems relevant? > But I'm not sure how easy this is to do. > > It's seems very likely to me that sites are seeing a combination > of problems, which could be all of WLC running out of RADIUS IDs, > ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't > surprise me if different things seem to fix the same symptoms for > different sites. It's just that the ACS sites don't have the > ntlm_auth component of the problem, so it may have taken a few > more months of load before the issue reared its head! > > Cheers, > > Matthew > > > [0] see e.g. > https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html > > -- > Matthew Newton, Ph.D. <m...@le.ac.uk> > > Systems Specialist, Infrastructure Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
