About a year and a half ago I did pretty exhaustive testing of RADIUS load with the Spirent traffic generator and with the assistance of PacketFence developers. (PacketFence is also based on FreeRADIUS). They suggested we tweak the MaxConcurrentAPI setting on our test AD server. So we did, but unfortunately it seemed to make no difference at all in the number of authentications per second we could process from the load generator.
One thing we found though was that if we ran the authentications against a flat file on the RADIUS server itself we could process six times more authentications. The bottom line is that whether it is SAMBA, NTLM, AD, or network latency itself I can't say - but I do know that if I eliminate all of them performance increases dramatically. Bottom line: Use EAP-TLS, and avoid checking LDAP/AD except when absolutely necessary. PEAP is vulnerable to fake AP/MITM attacks anyway. If you must check AD all the time - get a lot of servers, load balance them, monitor and graph authentications down to the second. That way you'll be more likely to identify the cause of an issue. Thanks, -- Curtis K. Larsen Sr. Network Engineer University of Utah IT/CIS On Thu, March 10, 2016 1:44 pm, Jake Snyder wrote: > If AD is not keeping up with the NTLM requests, giving the DCs more NTLM > worker threads can help > it keep up with higher loads. > > Working with TAC we found specifically in the ACS logs that it was waiting > for Windows to respond. > > As far as number of devices, they weren't showing increases over earlier in > the week or previous > weeks. > > Thanks > Jake Snyder > > > Sent from my iPhone > >> On Mar 10, 2016, at 12:21 PM, Matthew Newton <m...@leicester.ac.uk> wrote: >> >> Hi, >> >>> On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote: >>> That's for the great info on FreeRadius. I don't think this is >>> the case in what I'm seeing that, which is specifically that >>> Windows AD is not keeping up with NTLM. >> >> OK, that's interesting. I think the issue that others have seen on >> this would look like that - and certainly the symptoms sound the >> same as you described - so I'm wondering how you came to the >> conclusion that it's AD itself rather than something between AD >> and ACS. >> >> However, I'm not at all familiar with ACS - I guess it sits on a >> member server and probably calls LsaLogonUser directly - so there >> is the communication between the member server and the DC, though >> I guess that /should/ be fairly slick in theory... >> >>> These are customers with environments that are relatively stable >>> and have been performing well for extended periods of time with >>> similar user counts. These are also well below the 256 radius >>> session limit. >> >> I'd throw in the consideration of student numbers as well. We >> always hit our peak number of wireless clients in February/March >> each year, so this is the time problems often show up. Why this >> time of year I have no idea! Probably all the new Christmas >> presents being connected. :) >> >>> The MaxConcurrentAPI raises the number of worker threads in AD >>> so that it NTLM on the DC can keep up with the incoming >>> requests. Why did the performance of NTLM change recently? I >>> have no idea, but it appears it has. >> >> I believe MaxConcurrentAPI helped some people[0] who were having >> problems with the FreeRADIUS/Samba setup as well, so again I'm not >> entirely sure it's a pointer to AD having necessarily changed. >> >> Maybe reviewing all Windows patches applied to the DCs and ACS >> servers in the last 3 months and see if anything seems relevant? >> But I'm not sure how easy this is to do. >> >> It's seems very likely to me that sites are seeing a combination >> of problems, which could be all of WLC running out of RADIUS IDs, >> ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't >> surprise me if different things seem to fix the same symptoms for >> different sites. It's just that the ACS sites don't have the >> ntlm_auth component of the problem, so it may have taken a few >> more months of load before the issue reared its head! >> >> Cheers, >> >> Matthew >> >> >> [0] see e.g. >> https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html >> >> -- >> Matthew Newton, Ph.D. <m...@le.ac.uk> >> >> Systems Specialist, Infrastructure Services, >> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom >> >> For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list >> can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
