I have seen the numbers higher than 0, especially when the RADIUS serves were on a different subnet and the traffic had to be routed or to the ones at our off-campus data recovery site. The primary ones are now in the same subnet as the controllers though on a separate switch that is connected (10 Gb) to the switch with the controllers. That connectivity change along with a change in FreeRadius versions to one that caches good auths from the LDAP server seems to have helped us a bunch.
John Watters Network Engineer, Office of Information Technology The University of Alabama<https://www.ua.edu/> A115 Gordon Palmer Hall Box 870346 Tuscaloosa, AL 35487 Phone 205-348-3992<tel:205-348-3992> john.watt...@ua.edu<mailto:john.watt...@ua.edu> [The University of Alabama]<https://www.ua.edu/> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H Sent: Sunday, May 07, 2017 8:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Radius Transaction Times Why is your round trip time 0? That doesn't look right. Ryan Turner Manager of Network Operations, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On May 5, 2017, at 10:20 AM, Watters, John <john.watt...@ua.edu<mailto:john.watt...@ua.edu>> wrote: We have been having RADIUS problems for a while. After a lot of cussing and gnashing of teeth I got the RADIUS folks to build three new servers (all virtual). These were put into the same IP address spaces as our Cisco 8510 controllers. We are running MPLS with our campus divided into three areas, soon to become four since we acquired 100+ acres of adjacent land that used to be the State mental health hospital complex). The WLCs, RADIUS servers, and APs are all in a global VRF in each area. In addition these new RADIUS servers (running FreeRadius) had code upgrades that provided caching which cut down dramatically on their calls to our LDAP servers (we do not use AD for this function). We have found that the new RADIUS servers perform well enough to drastically cut down our timeout & retry values. And, they are not failing over to the other listed RADIUS servers at all. I have been looking at the stats, adding the results into a spreadsheet for comparison, and resetting the stats on a daily basis for about a week now. Very impressive results compared to what they were in the past. Zero failovers to the backup RADIUS servers) Now, the slow RADIUS performers are the few where we allow areas to run their own RADIUS authentication (e.g., Athletics and a State funded traffic accident center). The following are stats for the last 24 hours for the primary RADIUS servers in each MPLS area. Note that our last day of finals was yesterday. So overall usage is down somewhat from previous days. Server Index..................................... 11 Server Address................................... 10.40.73.63 Msg Round Trip Time.............................. 0 (msec) First Requests................................... 10558631 Retry Requests................................... 1115 Accept Responses................................. 1233879 Reject Responses................................. 17613 Challenge Responses.............................. 9306091 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 562 Timeout Requests................................. 1116 Consecutive Drops ............................... 0 Unknowntype Msgs................................. 0 Other Drops...................................... 16 Server Index..................................... 12 Server Address................................... 10.40.73.64 Msg Round Trip Time.............................. 0 (msec) First Requests................................... 1914228 Retry Requests................................... 26 Accept Responses................................. 204271 Reject Responses................................. 5034 Challenge Responses.............................. 1704679 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 4 Timeout Requests................................. 27 Consecutive Drops ............................... 0 Unknowntype Msgs................................. 0 Other Drops...................................... 3 Server Index..................................... 13 Server Address................................... 10.40.73.65 Msg Round Trip Time.............................. 0 (msec) First Requests................................... 2287837 Retry Requests................................... 527 Accept Responses................................. 264175 Reject Responses................................. 6003 Challenge Responses.............................. 2017202 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 219 Timeout Requests................................. 527 Consecutive Drops ............................... 0 Unknowntype Msgs................................. 0 Other Drops...................................... 7 And, totals for all of RADIUS servers per area: Authentication Total: First Requests................................... 10626070 Retry Requests................................... 1223 Accept Responses................................. 1240876 Reject Responses................................. 17714 Challenge Responses.............................. 9358962 Authentication Total: First Requests................................... 1924145 Retry Requests................................... 26 Accept Responses................................. 204902 Reject Responses................................. 5141 Challenge Responses.............................. 1710089 Authentication Total: First Requests................................... 2328645 Retry Requests................................... 579 Accept Responses................................. 268591 Reject Responses................................. 6140 Challenge Responses.............................. 2051073 All controllers are 8510s running Cisco 8.0.140.0 due to a few older APs that we are phasing out this summer. John Watters Network Engineer, Office of Information Technology The University of Alabama<https://www.ua.edu/> A115 Gordon Palmer Hall Box 870346 Tuscaloosa, AL 35487 Phone 205-348-3992<tel:205-348-3992> john.watt...@ua.edu<mailto:john.watt...@ua.edu> <image003.gif><https://www.ua.edu/> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Thursday, May 04, 2017 11:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Radius Transaction Times Hi, For those logging radius transactions I’m just looking for some ideas on what seems a normal rate. It’s been on our list for a while to start looking at and we are currently playing with Nyansa and running into a few alerts. Predominately interested in transaction time, do they change much under load? eduroam will obviously have some additional concerns outside of your own control, but we are predominantly looking at on-campus. Below is some numbers for 2 different servers, interestingly the more loaded server is quicker ☺ Yet our radius and AD servers are clones ☺ Additional info for interest We run 4x freeradius v2 on redhat 6, each has it’s own Microsoft 2008 R2 AD server -Currently building replacement freeradius v3 on redhat 7 -The server team is also migrating to 2012 R2, so we will be moving to that shortly as well Cisco 8510-HA 2100 AP’s peaking 15000 concurrent clients Regards Jason <image004.png> <image005.png> -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 e-mail: jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au%3cmailto:jason.c...@adelaide.edu.au>> CRICOS Provider Number 00123M ----------------------------------------------------------- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
