10-11-2012 01:40 PM
I'm running an eval of Airwave.. one of the problems it's uncovered is a ton of radius time outs - specifically "Authentication server request timed out for XX-SERVER"
In trying to correct this issue I setup a second NPS server to serve a smaller site (<100 devices). It's generating time out errors too..
So that's got me wondering if Aruba/Airwave isn't reporting this data correctly, or wondering if NPS is just poorly suited to serve up radius for a wireless network.
What's your experience/design been in setting up a NPS server(s) to accommodate 3500ish wireless clients across 9 controllers? Is there a better radius product that will authenticate against MS AD for machine and user authentication?
10-11-2012 04:32 PM
Depending on the server configuration (hardware and other services) NPS can handle hundreds of requests per second. Now, if this your DC, then it is obviously doing other things as well. I have many customers using NPS for RADIUS, mainly for its ease of integration, and of course price. If you need to stick with NPS, you could look at using an NPS Proxy to balance the requests across multiple servers. But, since you asked, I'll answer: ClearPass Policy Manager would be a good option to look at for an alternative RADIUS solution.
Getting back to your RADIUS timeouts; have you troubleshot it any further? Are your clients complaining? Do you have a lot of Apple/iOS devices?
Systems Engineer, Northeast USA
ACDX | ACMX | ACCP
10-14-2012 08:13 AM
Just asking the nps server is locally on the site where you authenticating servers?
Or you got for example a wireless controller on a remote site and you got the NPS servers on like a data center or central site?
I ask you this because you can do EAP termination on the controller is is recommended in situations where the radisu server is not local to the controller....
EAP process is terminated on the controller and only radius request are send to the server... Its good like i said when radius server is not local to the WLAN.
Product Manager - Aruba Networks
10-22-2012 08:47 AM
NPS is running on a DC that I installed to handle radius requests. When NPS services are offline it runs somewhere between 0%-1% utilization. When NPS is running it doesn't go above 10% utilization - with the exception of the occasional spike hear and there. Airwave reports 3400 clients
I've sniffed the traffic hitting the primary NPS box, and I'm guesstimating that it's getting about 300 or so requests per second.
>Are your clients complaining?
Yes.. that's why I started an Airwave eval. I'm getting reports of sporadic authentication issues... like when a teacher starts up a class set of laptops. Out of 30ish devices 2-3 of them wont get online on the first attempt. This is true of both our Chomebooks and Win7 Laptops.
>Do you have a lot of Apple/iOS devices?
Yes we do. The bulk of them are personal devices.
I've been hitting the internet pretty hard looking for answers about NPS performance. So far as I've read a single NPS server can handle 200 requests per second and/or 5000 wireless devices. I'm having a hard time believing this when my smallest site is having issues with 144 wireless devices.
10-22-2012 09:07 AM
>Just asking the nps server is locally on the site where you authenticating servers?
Yes and no.. I setup a second NPS server local to one of the controllers and the problem didn't go away.
>Or you got for example a wireless controller on a remote site and you got the NPS servers on like a data center or central site?
>I ask you this because you can do EAP termination on the controller is is recommended in situations where the radisu server is not local to the controller....EAP process is terminated on the controller and only radius request are send to the server... Its good like i said when radius server is not local to the WLAN.
Interesting... I believe I looked into that awhile back and it didn't fit well in our environment. I can't remeber why but I'll take another look...
10-26-2012 12:22 PM
Did you ever find a resolution to your problem? I'm having a very similar problem with RADIUS timeouts that I cannot get to the bottom of but I have a LOT less clients than you do.
Running 2008R2 NPS on an unloaded server connected to the same switch that my Aruba controller is on. EAP termination at the RADIUS server.
The RADIUS server is only getting hit by 5-6 clients per minute so you definitely have a much busier network than I do.
The Aruba controller complains of the RADIUS server timing out. From the other side, I don't see any errors or network distruptions regarding RADIUS - it simply just isn't seeing the traffic.
10-26-2012 12:55 PM
When you configure the second NPS which is local to the controller, did you put that one as primary right on that controller?
Im sure you did but i still ask
Also like the other forum guy said
Did you ever found resolution to this?
I have setup some of those and never had issue with this kind of thing...
Product Manager - Aruba Networks
10-30-2012 09:02 AM
No resolution yet...
>When you configure the second NPS which is local to the controller, did you put that one as primary right on that controller?
> I have setup some of those and never had issue with this kind of thing...
What was the specs on the servers you used? hardware/os/hypervisor??
12-04-2012 10:41 AM
So I suspect these timeouts are a result of a group of misconfigured clients.
Here's what I'm seeing in the Windows Event Log
Log Name: Security
Date: 11/28/2012 11:36:21 AM
Event ID: 6274
Task Category: Network Policy Server
Keywords: Audit Failure
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
Security ID: S-1-5-21-547700318-1172196121-2737236298-41244
Account Name: loginname
Account Domain: DOM
Fully Qualified Account Name: DOM\loginname
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 000B86041A80
Calling Station Identifier: 1474116FD51C
NAS IPv4 Address: 172.25.197.2
NAS IPv6 Address: -
NAS Identifier: 172.22.197.5
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 19
Client Friendly Name: Aruba
Client IP Address: 172.22.197.5
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: SERVERNAME.dom.lan
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
I can't find a way to make NPS send an ACCESS-REJECT message to the client when this happens - so the controller sees this as a timeout.
12-27-2012 08:06 AM
As I mentioned earlier in this thread I had a similar problem. Unfortunately I do not have a resolution right now, but through troubleshooting with Aruba support I've come to the same conclusion as you did.
Traffic on my network this week is unusually light because most people are out on holiday. I saw some RADIUS timeouts and there were only a handful of clients inside my building. I checked on my RADIUS logs and saw that one user was failing to auth right before the timeout occured.
Now I have this user's iPad 4 running iOS 6.0.1 in my hands. When it's asleep, everything is well. As soon as I wake it up, it tries to connect to my wireless network and since it's not set up right it tries to connect, then fails, then tries again, etc.
While this happens, I can watch the timeout value climb from #show aaa authentication-server radius statistics. Checking on my NPS server, I get the exact same type of error you see.
I suspect this user tried to set up her iPad on the wireless network - she input her domain credentials then it is my theory that she did not click the ACCEPT button my my self-signed certificate. So the iPad is throwing the saved credentials at my RADIUS server but it's not trusting the certificate I'm using with RADIUS.
My response to Aruba support was the exact question you posed - why isn't NPS reporting back to the controller with a failure? I understand that the user *does* in fact meet the conditions I specified in my policy...but doesn't the RADIUS standard say that it should answer back with something??