Higher Education

Just switched from IAS to NPS for RADIUS. RADIUS log file sizes for the same period have grown by a factor 4 to 5 times. I changed the log format from DTS to IAS and this helped just a little. I looked at the logs and see for each authentication, most clients are sending a burst 6 to 8 access-requests per second with each request immediately followed by an access-accept. Timers are at the default. Why would the clients be sending so many requests for each authentication all in the same second?

Why would the change from IAS to NPS cause a change in client behavior?  Is it possible it has always been happening?

Why would the change from IAS to NPS cause a change in client behavior?  Is it possible it has always been happening?

Why would the change from IAS to NPS cause a change in client behavior?  Is it possible it has always been happening?

Colin,

Sorry, I didn't mean to imply that the change from IAS to NPS caused the change in client behavior. It was likely there before. I am trying to figure out why my logs have grown by a 4x / 5x factor. Each log will likely now be 30 to 50 GB per server, per month. However, what I am trying to confirm is that I don't have a configuration problem that would cause the client, each time they authenticate,  to send 6 to 8 Access-Request packets in a single second. If it's not a configuration problem, is there anything I can do about it?

Thanks,

Brad

I do not know whether Microsoft has a solution, but Aruba's supported solution would likely be to mve to ClearPass Policy Manager

:D 

---

@Brad wrote:

Colin,

Sorry, I didn't mean to imply that the change from IAS to NPS caused the change in client behavior. It was likely there before. I am trying to figure out why my logs have grown by a 4x / 5x factor. Each log will likely now be 30 to 50 GB per server, per month. However, what I am trying to confirm is that I don't have a configuration problem that would cause the client, each time they authenticate,  to send 6 to 8 Access-Request packets in a single second. If it's not a configuration problem, is there anything I can do about it?

Thanks,

Brad

 

---

Brad, no apology required.

To get to the bottom of things:

- Can we zero in on a specific type of client, or does it happen with all of them?

- Does it happen all the time?

- Are you having any connectivity issues with your client(s) at this time or the growing logs is your only issue?

multiple radius requests sometimes point to uncompleted radius transactions, due to congestion...maybe...

Disclaimer: I'm definitely not a RADIUS expert, and what limited experience I have is with EAP-TTLS on FreeRADIUS.

 Multiple access-requests as part of a single authentication are common.  They are known as EAP fragments.  The number of fragments will depend primarily your EAP type and the nature of your certificate chain, but we require 8 for every auth.  What strikes me as unusual is that each one is followed by an access-accept.  I'm accustomed to seeing each fragment followed by another access-challenge, with only the last fragment soliciting an accept or reject message.

Could what you're observing be EAP fragmentation?  If so, the server responding with an accept message instead of a challenge would explain why your log volume increased substantially.  Under normal logging, challenges would not be logged.  Accepts would almost always be logged.

Chuck Enfield

Penn State