Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Occasional Contributor II
Posts: 45
Registered: ‎12-06-2010
RADIUS Client Access-Request / Accept

Just switched from IAS to NPS for RADIUS. RADIUS log file sizes for the same period have grown by a factor 4 to 5 times. I changed the log format from DTS to IAS and this helped just a little. I looked at the logs and see for each authentication, most clients are sending a burst 6 to 8 access-requests per second with each request immediately followed by an access-accept. Timers are at the default. Why would the clients be sending so many requests for each authentication all in the same second?

 

 

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007
Re: RADIUS Client Access-Request / Accept

Why would the change from IAS to NPS cause a change in client behavior?  Is it possible it has always been happening?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007
Re: RADIUS Client Access-Request / Accept

Why would the change from IAS to NPS cause a change in client behavior?  Is it possible it has always been happening?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007
Re: RADIUS Client Access-Request / Accept

Why would the change from IAS to NPS cause a change in client behavior?  Is it possible it has always been happening?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎12-06-2010
Re: RADIUS Client Access-Request / Accept

Colin,

Sorry, I didn't mean to imply that the change from IAS to NPS caused the change in client behavior. It was likely there before. I am trying to figure out why my logs have grown by a 4x / 5x factor. Each log will likely now be 30 to 50 GB per server, per month. However, what I am trying to confirm is that I don't have a configuration problem that would cause the client, each time they authenticate,  to send 6 to 8 Access-Request packets in a single second. If it's not a configuration problem, is there anything I can do about it?

Thanks,

Brad

 

Contributor II
Posts: 141
Registered: ‎05-12-2010
Re: RADIUS Client Access-Request / Accept

I do not know whether Microsoft has a solution, but Aruba's supported solution would likely be to mve to ClearPass Policy Manager

 

:D 

Bruce Osborne - Wireless Engineer
ACCP
Guru Elite
Posts: 20,960
Registered: ‎03-29-2007
Re: RADIUS Client Access-Request / Accept

Brad wrote:

Colin,

Sorry, I didn't mean to imply that the change from IAS to NPS caused the change in client behavior. It was likely there before. I am trying to figure out why my logs have grown by a 4x / 5x factor. Each log will likely now be 30 to 50 GB per server, per month. However, what I am trying to confirm is that I don't have a configuration problem that would cause the client, each time they authenticate,  to send 6 to 8 Access-Request packets in a single second. If it's not a configuration problem, is there anything I can do about it?

Thanks,

Brad

 


Brad, no apology required.

 

To get to the bottom of things:

 

- Can we zero in on a specific type of client, or does it happen with all of them?

- Does it happen all the time?

- Are you having any connectivity issues with your client(s) at this time or the growing logs is your only issue?

 

multiple radius requests sometimes point to uncompleted radius transactions, due to congestion...maybe...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 13
Registered: ‎03-01-2012
Re: RADIUS Client Access-Request / Accept
[ Edited ]

Disclaimer: I'm definitely not a RADIUS expert, and what limited experience I have is with EAP-TTLS on FreeRADIUS.

 

 Multiple access-requests as part of a single authentication are common.  They are known as EAP fragments.  The number of fragments will depend primarily your EAP type and the nature of your certificate chain, but we require 8 for every auth.  What strikes me as unusual is that each one is followed by an access-accept.  I'm accustomed to seeing each fragment followed by another access-challenge, with only the last fragment soliciting an accept or reject message.

 

Could what you're observing be EAP fragmentation?  If so, the server responding with an accept message instead of a challenge would explain why your log volume increased substantially.  Under normal logging, challenges would not be logged.  Accepts would almost always be logged.

 

Chuck Enfield

Penn State

Search Airheads
Showing results for 
Search instead for 
Did you mean: